From 9b1ccfe7539660177810a7cbf1789871d25fe43c Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 15:30:32 +0100 Subject: [PATCH 01/32] DIYIDP: Make the role compatible with the new mariadb docker --- roles/diyidp/defaults/main.yml | 2 ++ roles/diyidp/tasks/main.yml | 3 +-- roles/diyidp/templates/config-override.php.j2 | 4 ++-- roles/diyidp/templates/saml20-idp-hosted.php.j2 | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/diyidp/defaults/main.yml b/roles/diyidp/defaults/main.yml index 5fe652520..f2e8ca303 100644 --- a/roles/diyidp/defaults/main.yml +++ b/roles/diyidp/defaults/main.yml @@ -14,3 +14,5 @@ diyidp_remotesp: - name: "{{ instance_name }} SP metadata" metadataurl: "https://engine.{{ base_domain }}/authentication/sp/metadata" acslocation: "https://engine.{{ base_domain }}/authentication/sp/consume-assertion" +diyidp_docker_networks: + - name: "loadbalancer" diff --git a/roles/diyidp/tasks/main.yml b/roles/diyidp/tasks/main.yml index 0688ddfe7..4f16c2423 100644 --- a/roles/diyidp/tasks/main.yml +++ b/roles/diyidp/tasks/main.yml @@ -74,8 +74,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ diyidp_docker_networks }}" labels: traefik.http.routers.diyidp.rule: "Host(`{{ diyidp_domain }}`)" traefik.http.routers.diyidp.tls: "true" diff --git a/roles/diyidp/templates/config-override.php.j2 b/roles/diyidp/templates/config-override.php.j2 index 7418d5bfa..41d4b3b76 100644 --- a/roles/diyidp/templates/config-override.php.j2 +++ b/roles/diyidp/templates/config-override.php.j2 @@ -2,5 +2,5 @@ $config['certdir'] = 'config/cert/'; $config['metadatadir'] = 'config/metadata/'; $config['auth.adminpassword'] = '{{ diyidp.admin_password }}'; -$config['baseurlpath'] = 'https://diyidp.{{ base_domain }}/'; -$config['theme.use'] = '{{ diyidp.theme |default("default") }}'; +$config['baseurlpath'] = 'https://{{ diyidp_domain }}/'; +$config['theme.use'] = '{{ diyidp_theme |default("default") }}'; diff --git a/roles/diyidp/templates/saml20-idp-hosted.php.j2 b/roles/diyidp/templates/saml20-idp-hosted.php.j2 index 6b8577f55..c741bce77 100644 --- a/roles/diyidp/templates/saml20-idp-hosted.php.j2 +++ b/roles/diyidp/templates/saml20-idp-hosted.php.j2 @@ -5,7 +5,7 @@ * See: https://rnd.feide.no/content/idp-hosted-metadata-reference */ -$metadata['https://diyidp.{{ base_domain}}'] = array( +$metadata['https://{{ diyidp_domain}}'] = array( /* * The hostname of the server (VHOST) that will use this SAML entity. * From 33333586b8d721cb5225e4afbf6f6b86c1374399 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 15:39:03 +0100 Subject: [PATCH 02/32] PDP: Make the push test mode configurable in stead of hard coded true --- roles/pdp/defaults/main.yml | 1 + roles/pdp/templates/serverapplication.properties.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/pdp/defaults/main.yml b/roles/pdp/defaults/main.yml index 272c9240e..4f548db6a 100644 --- a/roles/pdp/defaults/main.yml +++ b/roles/pdp/defaults/main.yml @@ -20,3 +20,4 @@ pdp_manage_provision_samlsp_sp_cert: "" pdp_manage_provision_samlsp_trusted_proxy: false pdp_manage_provision_samlsp_sign: false pdp_spring_flyway_enabled: true +pdp_manage_push_testmode: true diff --git a/roles/pdp/templates/serverapplication.properties.j2 b/roles/pdp/templates/serverapplication.properties.j2 index 0c4eee93f..27fd45f51 100644 --- a/roles/pdp/templates/serverapplication.properties.j2 +++ b/roles/pdp/templates/serverapplication.properties.j2 @@ -58,7 +58,7 @@ manage.password={{ manage_pdp_secret }} period.manage.refresh.minutes=10 manage.manageBaseUrl=https://manage.{{ base_domain }} # If true the manage push is done against the pdp_migrated_policies for testing purposes -manage.pushTestMode=true +manage.pushTestMode={{ pdp_manage_push_testmode }} # Number of days how long the policy violations are retained policy.violation.retention.period.days=30 From d0af493ad581115793ce50bff0cc96d0969cc1e3 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Fri, 15 Nov 2024 15:46:31 +0100 Subject: [PATCH 03/32] Add sp-specific metadata checkbox also to RPs Although it makes less natural sense than for SAML SPs (since the generated metadata is SAML), some consumers may have an interest in this metadata for their purposes. --- .../metadata_configuration/oidc10_rp.schema.json.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/manage/templates/metadata_configuration/oidc10_rp.schema.json.j2 b/roles/manage/templates/metadata_configuration/oidc10_rp.schema.json.j2 index 08e6903e7..31386095d 100644 --- a/roles/manage/templates/metadata_configuration/oidc10_rp.schema.json.j2 +++ b/roles/manage/templates/metadata_configuration/oidc10_rp.schema.json.j2 @@ -328,6 +328,11 @@ "type": "number", "info": "The height of the logo found at logo:0:url in pixels." }, + "coin:sp_specific_metadata": { + "type": "boolean", + "default": false, + "info": "Publish SP-specific metadata containing only whitelisted IdPs." + }, "coin:push_enabled": { "type": "boolean", "default": false, From ccca7aadc91769597d61b370777517cc4b6548ee Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 19 Nov 2024 13:31:51 +0100 Subject: [PATCH 04/32] Disable performance-seed --- roles/invite/templates/serverapplication.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index f643acca0..aa04da69e 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -119,6 +119,7 @@ config: feature: limit-institution-admin-role-visibility: {{ invite.limit_institution_admin_role_visibility }} + enable-performance-seed: False # We don't encode in-memory passwords, but they are reused so do NOT prefix them with {noop} external-api-configuration: From 708a6be0fbc34971439c5a4604570654b5e928cb Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 19 Nov 2024 14:48:06 +0100 Subject: [PATCH 05/32] Do not allow for seed-generation other than localhost --- roles/invite/templates/serverapplication.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index aa04da69e..394eaaaf1 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -115,6 +115,7 @@ config: eduid-entity-id: "https://login.{{ myconext_base_domain }}" role-search-required: false past-date-allowed: {{ invite.past_date_allowed }} + performance-seed-allowed: False eduid-idp-schac-home-organization: {{ invite.eduid_idp_schac_home_organization }} feature: From 9cf8c6311311418929720efc579103f00e669b1f Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 26 Nov 2024 10:32:05 +0100 Subject: [PATCH 06/32] Allow for performance seed invite on test2 --- roles/invite/templates/serverapplication.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 394eaaaf1..fc9259765 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -115,7 +115,7 @@ config: eduid-entity-id: "https://login.{{ myconext_base_domain }}" role-search-required: false past-date-allowed: {{ invite.past_date_allowed }} - performance-seed-allowed: False + performance-seed-allowed: {{ invite.performance_seed_allowed }} eduid-idp-schac-home-organization: {{ invite.eduid_idp_schac_home_organization }} feature: From fff42d10e02bf3df41cabf258d20ade51422e9a7 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 26 Nov 2024 14:40:30 +0100 Subject: [PATCH 07/32] Added missing feature_send_js_exceptions: true --- environments/template/group_vars/template.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 74f01d787..3374a4b90 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -419,6 +419,7 @@ myconext: feature_show_connections: false feature_id_verify: true feature_remote_creation_api: true + feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true feature_create_eduid_institution_landing: true From 18a32b90fbc20a75721b79f4f798fbbb9ad280e6 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Nov 2024 20:56:15 +0100 Subject: [PATCH 08/32] DIYIDP: Only create docker mariadb network when the boolean mariadb_in_docker has been set to true --- roles/diyidp/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/diyidp/tasks/main.yml b/roles/diyidp/tasks/main.yml index 4f16c2423..f4e90ff64 100644 --- a/roles/diyidp/tasks/main.yml +++ b/roles/diyidp/tasks/main.yml @@ -67,6 +67,13 @@ mode: "0644" notify: restart diyidp +- name: Add the mariadb docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + diyidp_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: diyidp From d02b582f6c3284bdde3995534e9adebb789e201c Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 25 Oct 2024 16:21:41 +0200 Subject: [PATCH 09/32] Engineblock: Move to docker --- provision.yml | 5 +- roles/engineblock/defaults/main.yml | 4 +- roles/engineblock/handlers/main.yml | 6 + roles/engineblock/tasks/main.yml | 375 +++++++----------- roles/engineblock/templates/parameters.yml.j2 | 18 +- roles/engineblock/vars/docker.yml | 3 + 6 files changed, 169 insertions(+), 242 deletions(-) create mode 100644 roles/engineblock/vars/docker.yml diff --git a/provision.yml b/provision.yml index 5a21697c3..90b4bfcfb 100644 --- a/provision.yml +++ b/provision.yml @@ -98,10 +98,6 @@ tags: ['app_php', 'static'] - role: openconext-common tags: ['core', 'app_php', 'eb', 'profile'] - - role: engineblock - when: - - inventory_hostname not in groups['lifecycle'] - tags: ['core', 'app_php', 'eb'] - role: lifecycle when: - inventory_hostname in groups['lifecycle'] @@ -187,6 +183,7 @@ - { role: diyidp, tags: ["diyidp"] } - { role: profile, tags: ["profile"] } - { role: lifecycle, tags: ["lifecycle"] } + - { role: engineblock, tags: ["eb"] } - { role: stepuptiqr, tags: ['stepuptiqr' , 'stepup'] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 389247a44..1ab26ffcc 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -1,4 +1,3 @@ -#--- ## Version of EngineBlock that is installable by this role engine_version: '' # Be aware that if you enable this option that NPM, Node.js and Composer are installed @@ -13,7 +12,6 @@ engine_feature_enable_sso_session_cookie: 0 engine_feature_enable_consent: 1 engine_feature_stepup_override_entityid: 0 engine_feature_idp_initiated_flow: 1 - engine_api_feature_metadata_push: 1 engine_api_feature_consent_listing: 1 engine_api_feature_consent_remove: 0 @@ -128,3 +126,5 @@ engineblock_selenium_install_dir: /opt # Composer composer_path: /usr/local/bin/composer + +engineblock_log_attributes: [] diff --git a/roles/engineblock/handlers/main.yml b/roles/engineblock/handlers/main.yml index 8a2235003..ee9e9e1e8 100644 --- a/roles/engineblock/handlers/main.yml +++ b/roles/engineblock/handlers/main.yml @@ -3,3 +3,9 @@ service: name: php72-php-fpm state: restarted + +- name: restart engine + community.docker.docker_container: + name: engine + state: started + restart: true diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 2baa50469..c68843405 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -1,300 +1,223 @@ ---- -- name: Add group {{ engine_fpm_user }} - group: - name: "{{ engine_fpm_user }}" +- name: Include docker vars + ansible.builtin.include_vars: docker.yml + +- name: Add group engine + ansible.builtin.group: + name: "engine" state: present + register: engine_guid -- name: Add user {{ engine_fpm_user }} - user: - name: "{{ engine_fpm_user }}" - group: "{{ engine_fpm_user }}" - createhome: no +- name: Add user engine + ansible.builtin.user: + name: "engine" + group: "engine" + createhome: false state: present + register: engine_uid -- name: Create directory for vhosts to store PHP sessions - file: - path: "{{ php_session_dir}}/engine" +- name: Create some dirs + ansible.builtin.file: state: directory - owner: "{{ engine_fpm_user }}" + dest: "{{ item }}" + owner: root group: root - mode: 0770 - -- name: Install build tools (npm, composer) - include_tasks: build.yml - when: - - "(engine_branch is defined and engine_branch != '') or develop" - -- name: Include install-release.yml - include_tasks: install-release.yml - when: - - "(engine_branch is not defined or engine_branch == '') and not develop" - -- name: Include install-branch.yml - include_tasks: install-branch.yml - when: - - "(engine_branch is defined and engine_branch != '') and not develop" - -- name: Include develop.yml - include_tasks: develop.yml - when: - - develop | bool - -- name: Include test.yml - include_tasks: test.yml - when: - - develop | bool + mode: "0755" + with_items: + - "{{ current_release_config_dir_name }}" + - "{{ current_release_config_dir_name }}/certs" + - "{{ current_release_config_dir_name }}/configs" + - "{{ current_release_config_dir_name }}/images" + - "{{ current_release_config_dir_name }}/languages" - name: Place parameters.yml - template: - src: "{{ item }}.j2" - dest: "{{ engine_current_release_symlink }}/app/config/{{ item }}" - mode: 0644 - with_items: - - parameters.yml - notify: - - "restart php72-fpm" + ansible.builtin.template: + src: parameters.yml.j2 + dest: "{{ current_release_config_dir_name }}/configs/parameters.yml" + mode: "0640" + owner: root + group: engine + notify: restart engine - name: Check presence of environment specific attributes.json - local_action: stat path="{{ inventory_dir }}/files/eb/attributes.json" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/attributes.json" register: attributes_json_present become: false + delegate_to: localhost - name: Copy environment specific attributes.json - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/eb/attributes.json" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/application/configs/" + dest: "{{ current_release_config_dir_name }}/configs/" + mode: "0644" + owner: root + group: engine when: attributes_json_present.stat.exists - name: Check presence of language specific overrides - local_action: stat path="{{ inventory_dir }}/files/eb/languages/" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/languages/" register: overrides_present become: false + delegate_to: localhost - name: Copy language specific overrides - template: + ansible.builtin.template: src: "{{ item }}" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/languages" + dest: "{{ current_release_config_dir_name }}/languages/" + owner: root + group: engine + mode: "0644" when: overrides_present.stat.exists with_fileglob: - "{{ inventory_dir }}/files/eb/languages/*" notify: - - "restart php72-fpm" + - "restart engine" - name: Check if we have a custom logo - local_action: stat path="{{ inventory_dir }}/files/logo.png" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/logo.png" register: customlogo become: false + delegate_to: localhost - name: Install environment specific logo - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/logo.png" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/images/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: engine + mode: "0644" when: customlogo.stat.exists - name: Check if we have a custom favicon - local_action: stat path="{{ inventory_dir }}/files/favicon.ico" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/favicon.ico" register: customfavicon become: false + delegate_to: localhost - name: Install environment specific favicon - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/favicon.ico" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/" + dest: "/opt/openconext/common/" + owner: root + group: root + mode: "0644" when: customfavicon.stat.exists - name: Check if we have a custom background back image for the feedback page - local_action: stat path="{{ inventory_dir }}/files/eb/background-back.svg" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/background-back.svg" register: eb_customfeedbackbackground become: false + delegate_to: localhost - name: Install environment specific background back image - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/eb/background-back.svg" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/images/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: engine + mode: "0644" when: eb_customfeedbackbackground.stat.exists - name: Check if we have a custom background front image for the feedback page - local_action: stat path="{{ inventory_dir }}/files/eb/background-front.svg" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/background-front.svg" register: eb_customfeedbackforeground become: false + delegate_to: localhost - name: Install environment specific background front image - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/eb/background-front.svg" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/images/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: engine + mode: "0644" when: eb_customfeedbackforeground.stat.exists - name: Check if we have a Stepup GW certificate - local_action: stat path="{{ inventory_dir }}/files/certs/stepup_gateway.pem" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/certs/stepup_gateway.pem" register: eb_stepupgwcert become: false + delegate_to: localhost - name: Install Stepup GW certificate - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/certs/stepup_gateway.pem" - dest: "{{ engine_stepup_gateway_sfo_public_key_file }}" + dest: "{{ current_release_config_dir_name }}/certs/" + owner: root + group: engine + mode: "0644" when: eb_stepupgwcert.stat.exists -- name: Install Apache vhost - template: - src: "{{ item }}.j2" - dest: "/etc/httpd/conf.d/{{ item }}" - with_items: - - engine.conf - - engine-api.conf - notify: - - "restart httpd" - -- name: clean up old php-fpm 5.6 config - file: - path: "/etc/php-fpm.d/engine-pool.conf" - state: absent - -- name: php-fpm 72 config - template: - src: "{{ item }}.j2" - dest: "/etc/opt/remi/php72/php-fpm.d/{{ item }}" - with_items: - - engine-pool-72.conf - notify: - - "restart php72-fpm" - -- name: copy over the engineblock keys - copy: - content: "{{ engineblock_private_keys[item.key] }}" - dest: "{{ item.value.privateFile }}" - owner: "{{ engine_fpm_user }}" - group: root - mode: 0440 - with_dict: "{{ engine_keys }}" - -- name: copy engineblock certificates to correct location - copy: - src: "{{ inventory_dir }}/files/certs/{{ item.value.publicKey }}" - dest: "{{ item.value.publicFile }}" - with_dict: "{{ engine_keys }}" - when: - - not engine_crt_not_in_inventory - -- name: copy engineblock certificates to correct location when not located in the inventory dir - copy: - src: "files/certs/{{ item.value.publicKey }}" - dest: "{{ item.value.publicFile }}" - with_dict: "{{ engine_keys }}" - when: - - engine_crt_not_in_inventory | bool - -- name: Make the SYMFONY_ENV var available for scripts - become: yes - lineinfile: - dest: "/etc/environment" - state: present - line: "SYMFONY_ENV={{ engine_apache_symfony_environment }}" - -- name: Create EngineBlock test database - mysql_db: - name: "{{ engine_test_database_name }}" - state: present - when: - - develop | bool - -- name: Create EngineBlock test database user - mysql_user: - name: "{{ engine_test_database_user }}" - host: "{{ engine_test_database_host }}" - password: "{{ engine_test_database_password }}" - priv: "{{ engine_test_database_name }}.*:ALL" - state: present - when: - - develop | bool - -- name: Check existence of the eb database - shell: php72 app/console doctrine:migrations:status --env={{ engine_apache_symfony_environment }} | grep "Current Version" | awk '{print $4 }' - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - register: eb_database_version - changed_when: False - run_once: True - -- name: Check doctrine migrations status - shell: php72 app/console doctrine:migrations:status --env={{ engine_apache_symfony_environment }} - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - register: eb_database_migration_status - changed_when: False - run_once: True - -- name: Print return information from the previous task - ansible.builtin.debug: - var: eb_database_migration_status - -- name: Create the database schema - command: "php72 app/console doctrine:schema:create -n --env={{ engine_apache_symfony_environment }}" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - when: - - eb_database_version.stdout == '0' - run_once: True - -- name: Add migration versions to the database - command: "php72 app/console doctrine:migrations:version -n --add --all --env={{ engine_apache_symfony_environment }}" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - when: - - eb_database_version.stdout == '0' - run_once: True - -- name: Run EngineBlock Doctrine migrations - command: "php72 app/console doctrine:migrations:migrate -n --env={{ engine_apache_symfony_environment }}" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - register: doctrine_migrations_output - changed_when: "'No migrations to execute' not in doctrine_migrations_output.stdout" - tags: enginemigrations - when: - - engine_skip_db_migration is undefined - run_once: true - -- name: Clear the symfony cache - command: "php72 app/console cache:clear --env={{ engine_apache_symfony_environment }} --no-debug" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - when: - - not develop - changed_when: false - -- name: Make sure cache dir has correct permissions - file: - path: "{{engine_current_release_symlink}}/app/cache" - owner: "{{ engine_fpm_user }}" - group: "{{ engine_fpm_user }}" - recurse: yes - when: - - not develop - changed_when: False - -- name: Make sure log dir has correct permissions - file: - path: "{{engine_current_release_symlink}}/app/logs" - owner: "{{ engine_fpm_user }}" - group: "{{ engine_fpm_user }}" - recurse: yes - when: not develop - -# Remove all dirs, but keep the current version and from the rest the most recent one. -- name: Clean up old releases - shell: ls -td {{ openconext_releases_dir }}/OpenConext-engineblock-* | grep -v $(readlink {{ engine_current_release_symlink }}) | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_engine_releases - changed_when: '"removed" in clean_engine_releases.stdout' - -# Remove all tarballs, but keep the current version and from the rest the most recent one. -- name: Clean up old builds - shell: ls -td {{ openconext_builds_dir }}/OpenConext-engineblock-* {{ openconext_builds_dir }}/Releases/ | grep -v {{ engine_build_path }} | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_engine_builds - changed_when: '"removed" in clean_engine_builds.stdout' +- name: Copy over the engineblock keys + ansible.builtin.copy: + content: "{{ item.private_key }}" + dest: "{{ current_release_config_dir_name }}/certs/{{ item.name }}.key" + owner: root + group: engine + mode: "0440" + loop: "{{ engine_key_and_certs }}" + +- name: Copy engineblock certificates to correct location + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/{{ item.crt_name }}" + dest: "{{ current_release_config_dir_name }}/certs/{{ item.name }}.crt" + owner: root + group: engine + mode: "0644" + loop: "{{ engine_key_and_certs }}" + +- name: Create the container + community.docker.docker_container: + name: "engineblock" + image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:{{ engine_version }} + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.engine.rule: "Host(`engine.{{ base_domain }}`)" + traefik.http.routers.engine.service: "engineblock" + traefik.http.routers.engine.tls: "true" + traefik.http.routers.engineapi.rule: "Host(`engine-api.{{ base_domain }}`)" + traefik.http.routers.engineapi.service: "engineblock" + traefik.http.routers.engineapi.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ engine_uid.uid }}" + APACHE_GUID: "#{{ engine_guid.gid }}" + etc_hosts: + host.docker.internal: host-gateway + mounts: + - source: "{{ current_release_config_dir_name }}/configs/parameters.yml" + target: "/var/www/html/app/config/parameters.yml" + type: bind + - source: "{{ current_release_config_dir_name }}/configs/attributes.json" + target: "/var/www/html/app/config/attributes.json" + type: bind + - source: "{{ current_release_config_dir_name }}/images/background-back.svg" + target: "/var/www/html/web/images/background-back.svg" + type: bind + - source: "{{ current_release_config_dir_name }}/images/background-front.svg" + target: "/var/www/html/web/images/background-front.svg" + type: bind + - source: "{{ current_release_config_dir_name }}/images/logo.png" + target: "/var/www/html/web/images/logo.png" + type: bind + - source: "{{ current_release_config_dir_name }}/certs/" + target: "/var/www/html/certs/" + type: bind + - source: "/opt/openconext/common/favicon.ico" + target: "/var/www/html/web/favicon.ico" + type: bind diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 5982aa21a..19a23f77e 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -38,18 +38,17 @@ parameters: ## * How attributes are displayed in Profile and Consent ## * How attributes are Normalized and Denormalized ## * How attributes are validated - attribute_definition_file_path: {{ openconext_releases_dir }}/OpenConext-engineblock/application/configs/attributes.json + attribute_definition_file_path: {{ engine_config_dir }}/attributes.json ## The Signing / Encryption keys used for the SAML2 authentication and metadata ## When EngineBlock signs responses (when it acts as an Idp) ## or requests (when it acts as an SP) it uses these X.509 certs. encryption_keys: -{% for key, value in engine_keys.items() %} - {{ key }}: - publicFile: {{ value.publicFile }} - privateFile: {{ value.privateFile }} +{% for engine_key in engine_key_and_certs %} + {{ engine_key.name }}: + publicFile: "{{ engine_certs_dir }}/{{ engine_key.name}}.crt" + privateFile: "{{ engine_certs_dir}}/{{ engine_key.name }}.key" {% endfor %} - ## List of signature methods explicitly forbidden by EngineBlock. forbidden_signature_methods: { } @@ -209,7 +208,7 @@ parameters: ## Swiftmailer configuration mailer_transport: 'smtp' - mailer_host: 'localhost' + mailer_host: '{{ smtp_server }}' mailer_port: '25' mailer_user: '' mailer_password: '' @@ -231,7 +230,6 @@ parameters: feature_enable_consent: {{ engine_feature_enable_consent | bool | to_json }} feature_stepup_sfo_override_engine_entityid: {{ engine_feature_stepup_override_entityid | bool | to_json }} feature_enable_idp_initiated_flow: {{ engine_feature_idp_initiated_flow | bool | to_json }} - ########################################################################################## ## PROFILE SETTINGS ########################################################################################## @@ -268,7 +266,7 @@ parameters: ## The single sign-on endpoint used for Stepup Gateway SFO callouts stepup.gateway.sfo.sso_location: '{{ engine_stepup_gateway_sfo_sso_location | replace("%","%%") }}' ## The public key from the Stepup Gateway IdP - stepup.gateway.sfo.key_file: {{ engine_stepup_gateway_sfo_public_key_file | replace("%","%%") }} + stepup.gateway.sfo.key_file: "{{ engine_certs_dir }}/stepup_gateway.pem" ## You can override the default entityID used by Engineblock for its callout to stepup gateway. ## You also need to enable the feature toggle feature_stepup_sfo_override_engine_entityid above. stepup.sfo.override_engine_entityid: '{{ engine_stepup_override_entityid }}' @@ -308,4 +306,4 @@ parameters: # A (list) mapping is for example : where the label represents the label that is # used in the authentication log record. The attributeName will be searched in the response attributes and if present # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation. - auth.log.attributes: [] + auth.log.attributes: {{ engineblock_log_attributes }} diff --git a/roles/engineblock/vars/docker.yml b/roles/engineblock/vars/docker.yml new file mode 100644 index 000000000..d9a3a943b --- /dev/null +++ b/roles/engineblock/vars/docker.yml @@ -0,0 +1,3 @@ +current_release_config_dir_name: /opt/openconext/engine +engine_config_dir: /var/www/html/app/config +engine_certs_dir: /var/www/html/certs From 9612abfe6e962f7323a57f0a02fa6df35dac37a2 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 5 Nov 2024 09:33:56 +0100 Subject: [PATCH 10/32] Engineblock: Mount the language overrides files --- roles/engineblock/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index c68843405..f6475c9cd 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -203,6 +203,12 @@ - source: "{{ current_release_config_dir_name }}/configs/parameters.yml" target: "/var/www/html/app/config/parameters.yml" type: bind + - source: "{{ current_release_config_dir_name }}/languages/overrides.en.php" + target: "/var/www/html/languages/overrides.en.php" + type: bind + - source: "{{ current_release_config_dir_name }}/languages/overrides.nl.php" + target: "/var/www/html/languages/overrides.nl.php" + type: bind - source: "{{ current_release_config_dir_name }}/configs/attributes.json" target: "/var/www/html/app/config/attributes.json" type: bind From b301da5ccf665c2e38975166f18f46c9bfaaafac Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 13:41:31 +0100 Subject: [PATCH 11/32] EB: Mount a volume in /tmp to save the sessions --- roles/engineblock/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index f6475c9cd..594b4f85d 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -178,6 +178,11 @@ mode: "0644" loop: "{{ engine_key_and_certs }}" +- name: Create Docker volume to contain the sessions + community.docker.docker_volume: + name: engineblock_sessions + state: present + - name: Create the container community.docker.docker_container: name: "engineblock" @@ -197,6 +202,7 @@ env: APACHE_UID: "#{{ engine_uid.uid }}" APACHE_GUID: "#{{ engine_guid.gid }}" + TZ: "{{ timezone }}" etc_hosts: host.docker.internal: host-gateway mounts: @@ -227,3 +233,6 @@ - source: "/opt/openconext/common/favicon.ico" target: "/var/www/html/web/favicon.ico" type: bind + - source: engineblock_sessions + target: /tmp/ + type: volume From a9546eeab2877e2569e7b171fdff505b98534c33 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 20 Nov 2024 08:27:01 +0100 Subject: [PATCH 12/32] Engineblock: Clean non docker related configuration --- roles/engineblock/defaults/main.yml | 29 +-- roles/engineblock/handlers/main.yml | 5 - roles/engineblock/tasks/build.yml | 43 ---- roles/engineblock/tasks/develop.yml | 46 ---- roles/engineblock/tasks/install-branch.yml | 45 ---- roles/engineblock/tasks/install-release.yml | 31 --- roles/engineblock/tasks/main.yml | 21 +- roles/engineblock/tasks/test.yml | 36 --- .../engineblock/templates/engine-api.conf.j2 | 54 ----- .../templates/engine-pool-72.conf.j2 | 227 ------------------ roles/engineblock/templates/engine.conf.j2 | 56 ----- roles/engineblock/templates/selenium-unit.j2 | 11 - .../engineblock/vars/{docker.yml => main.yml} | 0 13 files changed, 9 insertions(+), 595 deletions(-) delete mode 100644 roles/engineblock/tasks/build.yml delete mode 100644 roles/engineblock/tasks/develop.yml delete mode 100644 roles/engineblock/tasks/install-branch.yml delete mode 100644 roles/engineblock/tasks/install-release.yml delete mode 100644 roles/engineblock/tasks/test.yml delete mode 100644 roles/engineblock/templates/engine-api.conf.j2 delete mode 100644 roles/engineblock/templates/engine-pool-72.conf.j2 delete mode 100644 roles/engineblock/templates/engine.conf.j2 delete mode 100644 roles/engineblock/templates/selenium-unit.j2 rename roles/engineblock/vars/{docker.yml => main.yml} (100%) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 1ab26ffcc..c58a30d05 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -1,7 +1,6 @@ ## Version of EngineBlock that is installable by this role -engine_version: '' +engine_version: "" # Be aware that if you enable this option that NPM, Node.js and Composer are installed -#engine_branch: "develop" # Feature toggles engine_feature_encrypted_assertions: 1 engine_feature_encrypted_assertions_require_outer_signature: 1 @@ -42,7 +41,7 @@ engine_domain: engine.{{ base_domain }} engine_debug: false engine_theme: "skeune" -#engine_theme: openconext +# engine_theme: openconext engine_profile_baseurl: "https://profile.{{ base_domain }}" @@ -90,17 +89,6 @@ engine_stepup_gateway_sfo_public_key_file: "{{ engine_keys.default.publicFile }} ## The minimum priority of messages that will be logged engine_logging_passthru_level: NOTICE -#engine_initial_sql: '' - -engineblock_symfony_cache_path: "/tmp/engineblock/cache" -engineblock_symfony_log_path: "{{ engine_current_release_symlink }}/var/logs" - -engine_fpm_user: engine -engine_fpm_port: 801 -engine_fpm_memory: 128M -# When using vagrant for provisioning, it's not possible to put something in the inventory dir -engine_crt_not_in_inventory: false - # The memory limit used for the metadata push engine_metadata_push_memory_limit: 256M @@ -116,15 +104,4 @@ eb_tos_url: "https://example.org" engine_site_notice_show: false -# Backwards compatibility with older secrets files -engineblock_private_keys: - default: "{{ engineblock_private_key }}" - -# Webdriver test settings -engineblock_selenium_version: 2.53.1 -engineblock_selenium_install_dir: /opt - -# Composer -composer_path: /usr/local/bin/composer - -engineblock_log_attributes: [] +engineblock_log_attributes: [] diff --git a/roles/engineblock/handlers/main.yml b/roles/engineblock/handlers/main.yml index ee9e9e1e8..6ab193b9f 100644 --- a/roles/engineblock/handlers/main.yml +++ b/roles/engineblock/handlers/main.yml @@ -1,9 +1,4 @@ --- -- name: restart php72-fpm - service: - name: php72-php-fpm - state: restarted - - name: restart engine community.docker.docker_container: name: engine diff --git a/roles/engineblock/tasks/build.yml b/roles/engineblock/tasks/build.yml deleted file mode 100644 index 566f0e6f6..000000000 --- a/roles/engineblock/tasks/build.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: Get Composer installer signature. - uri: - url: https://composer.github.io/installer.sig - return_content: true - register: composer_installer_signature - -- name: Download Composer installer - get_url: - url: https://getcomposer.org/installer - dest: /tmp/composer-installer.php - mode: 0755 - checksum: "sha384:{{ composer_installer_signature.content }}" - register: reg_composer_installer - -- name: Run Composer installer - command: > - php72 composer-installer.php - chdir=/tmp - when: - - reg_composer_installer.changed | bool - -- name: Move Composer into globally-accessible location. - command: > - mv -f /tmp/composer.phar {{ composer_path }} - creates={{ composer_path }} - when: - - reg_composer_installer.changed | bool - -- name: Remove Nodesource repositories for Node.js - yum: - name: "nodesource-release" - state: removed - -- name: Add Nodesource repositories for Node.js - yum: - name: "https://rpm.nodesource.com/pub_12.x/el/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/nodesource-release-el{{ ansible_distribution_major_version }}-1.noarch.rpm" - state: present - -- name: Ensure Node.js and npm are installed - yum: - name: "nodejs-12*" - state: present - enablerepo: nodesource diff --git a/roles/engineblock/tasks/develop.yml b/roles/engineblock/tasks/develop.yml deleted file mode 100644 index 4732b79f6..000000000 --- a/roles/engineblock/tasks/develop.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: Add "engineblock" user - user: - name: engineblock - groups: "{{ apache_user}}" - append: yes - state: present - createhome: no - -- name: Create the cache dir for Symfony - file: - path: "{{ engineblock_symfony_cache_path }}" - state: directory - recurse: yes - -- name: Create the log dir for Symfony - file: - path: "{{ engineblock_symfony_log_path }}" - state: directory - recurse: yes - -- name: Ensure setfacl support is present. - become: true - package: - name: acl - state: present - -- name: Allow vagrant user complete access to all engineblock files - become: true - acl: - entity: "{{ item[0] }}" - default: "{{ item[1] }}" - path: "{{ item[2] }}" - permissions: rwx - use_nfsv4_acls: yes - with_nested: - - [ "{{ engine_fpm_user }}", "vagrant" ] - - [ "no", "yes" ] - - [ "{{ engineblock_symfony_cache_path }}", "{{ engineblock_symfony_log_path }}", "/opt/openconext/OpenConext-engineblock/" ] - -- name: Copy app_dev.php.dist to OpenConext web folder - copy: - src: "/opt/openconext/OpenConext-engineblock/app_dev.php.dist" - dest: "/opt/openconext/OpenConext-engineblock/web/app_dev.php" - remote_src: yes - mode: 0644 diff --git a/roles/engineblock/tasks/install-branch.yml b/roles/engineblock/tasks/install-branch.yml deleted file mode 100644 index 56d819ac3..000000000 --- a/roles/engineblock/tasks/install-branch.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ engine_release_dir }}" - register: eb_dir - -- name: Checkout engine-block branch - git: - repo: https://github.com/OpenConext/OpenConext-engineblock.git - dest: "{{ engine_branch_dir }}" - version: "{{ engine_branch }}" - force: yes - register: eb_gitclone - -- name: Make release - command: "./bin/makeRelease.sh {{ engine_branch }}" - environment: - HOME: "{{ openconext_builds_dir }}" - PATH: /usr/local/bin:{{ ansible_env.PATH }} - args: - chdir: "{{ engine_branch_dir }}" - when: - - eb_gitclone.changed or not eb_dir.stat.exists - register: make_release_out - -- debug: - var: make_release_out - verbosity: 2 - -- name: Unpack current version - unarchive: - src: "{{ openconext_builds_dir }}/Releases/OpenConext-engineblock-{{ engine_branch | replace('/', '_') }}.tar.gz" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - eb_gitclone.changed or not eb_dir.stat.exists - -- name: Activate new EngineBlock branch - file: - src: "{{ openconext_releases_dir }}/OpenConext-engineblock-{{ engine_branch | replace('/', '_') }}" - dest: "{{ engine_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" diff --git a/roles/engineblock/tasks/install-release.yml b/roles/engineblock/tasks/install-release.yml deleted file mode 100644 index a76789e17..000000000 --- a/roles/engineblock/tasks/install-release.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ engine_current_release_symlink }}" - follow: no - register: eb_dir - -- name: Download current version - get_url: - url: "{{ engine_download_url }}" - dest: "{{ engine_build_path }}" - register: eb_download - -- name: Unpack current version - unarchive: - src: "{{ engine_build_path }}" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - eb_download.changed or eb_dir.stat.lnk_source != engine_release_dir - -- name: Activate new EngineBlock release - file: - src: "{{ engine_release_dir }}" - dest: "{{ engine_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" - when: - - eb_download.changed or eb_dir.stat.lnk_source != engine_release_dir diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 594b4f85d..0376bd638 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -1,6 +1,3 @@ -- name: Include docker vars - ansible.builtin.include_vars: docker.yml - - name: Add group engine ansible.builtin.group: name: "engine" @@ -52,8 +49,7 @@ mode: "0644" owner: root group: engine - when: - attributes_json_present.stat.exists + when: attributes_json_present.stat.exists - name: Check presence of language specific overrides ansible.builtin.stat: @@ -89,8 +85,7 @@ owner: root group: engine mode: "0644" - when: - customlogo.stat.exists + when: customlogo.stat.exists - name: Check if we have a custom favicon ansible.builtin.stat: @@ -106,8 +101,7 @@ owner: root group: root mode: "0644" - when: - customfavicon.stat.exists + when: customfavicon.stat.exists - name: Check if we have a custom background back image for the feedback page ansible.builtin.stat: @@ -123,8 +117,7 @@ owner: root group: engine mode: "0644" - when: - eb_customfeedbackbackground.stat.exists + when: eb_customfeedbackbackground.stat.exists - name: Check if we have a custom background front image for the feedback page ansible.builtin.stat: @@ -140,8 +133,7 @@ owner: root group: engine mode: "0644" - when: - eb_customfeedbackforeground.stat.exists + when: eb_customfeedbackforeground.stat.exists - name: Check if we have a Stepup GW certificate ansible.builtin.stat: @@ -157,8 +149,7 @@ owner: root group: engine mode: "0644" - when: - eb_stepupgwcert.stat.exists + when: eb_stepupgwcert.stat.exists - name: Copy over the engineblock keys ansible.builtin.copy: diff --git a/roles/engineblock/tasks/test.yml b/roles/engineblock/tasks/test.yml deleted file mode 100644 index 43133372b..000000000 --- a/roles/engineblock/tasks/test.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Create install directory - file: - path: "{{ engineblock_selenium_install_dir }}/selenium" - state: directory - recurse: yes - -- name: Install latest Chrome - yum: - name: https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm - state: present - -- name: Install Selenium standalone - get_url: - url: "http://selenium-release.storage.googleapis.com/{{ engineblock_selenium_version | regex_replace('\\.[0-9]+$', '') }}/selenium-server-standalone-{{ engineblock_selenium_version }}.jar" - dest: "{{ engineblock_selenium_install_dir }}/selenium/selenium-server-standalone-{{ engineblock_selenium_version }}.jar" - mode: 0755 - -- name: Get the latest release for chromedriver - uri: - url: https://chromedriver.storage.googleapis.com/LATEST_RELEASE - return_content: yes - register: chromedriver_latest - -- name: Install chromedriver - unarchive: - src: "https://chromedriver.storage.googleapis.com/{{ chromedriver_latest.content | trim }}/chromedriver_linux64.zip" - dest: "{{ engineblock_selenium_install_dir }}/selenium" - mode: 0755 - copy: no - -- name: Install systemd unit file - template: - src: "selenium-unit.j2" - dest: /etc/systemd/system/selenium.service - mode: 0755 diff --git a/roles/engineblock/templates/engine-api.conf.j2 b/roles/engineblock/templates/engine-api.conf.j2 deleted file mode 100644 index f2e455933..000000000 --- a/roles/engineblock/templates/engine-api.conf.j2 +++ /dev/null @@ -1,54 +0,0 @@ -{% if apache_app_listen_address.engine_api is defined %} -Listen {{ apache_app_listen_address.engine_api }}:{{ loadbalancing.engine_api.port }} - -{% else %} - -{% endif %} - ServerAdmin {{ admin_email }} - - DocumentRoot {{ engine_current_release_symlink }}/web - ServerName {{ engine_api_domain }} - - - Require all granted - Options -MultiViews - RewriteEngine On - RewriteBase / - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ app{% if develop %}_dev{% endif %}.php [QSA,L] - -{% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} -{% endif %} - - Header always set X-Content-Type-Options "nosniff" - Header always set X-Frame-Options "DENY" - Header always set Content-Security-Policy "{{ httpd_csp.nothing }}" - - SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 - SetEnv ENGINEBLOCK_ENV {{ engine_apache_environment }} - SetEnv SYMFONY_ENV {{ engine_apache_symfony_environment }} - SetEnv HTTPS on - - RewriteEngine On - # We support only GET/POST/HEAD - RewriteCond %{REQUEST_METHOD} !^(POST|DELETE|GET|HEAD)$ - RewriteRule .* - [R=405,L] - - #Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/engine-pool-72.sock|fcgi://localhost/{{ engine_current_release_symlink }}/web/$1 - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-EBAPI'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-EBAPI'" combined - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - diff --git a/roles/engineblock/templates/engine-pool-72.conf.j2 b/roles/engineblock/templates/engine-pool-72.conf.j2 deleted file mode 100644 index c766f2a65..000000000 --- a/roles/engineblock/templates/engine-pool-72.conf.j2 +++ /dev/null @@ -1,227 +0,0 @@ -; Create a new pool named engine. -[engine] - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. - -; Use unix socket -listen = /var/run/php-fpm/engine-pool-72.sock - -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: -1 -;listen.backlog = -1 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -listen.owner = apache -listen.group = apache -listen.mode = 0640 - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = {{ engine_fpm_user }} -group = {{ engine_fpm_user }} - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives: -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; Note: This value is mandatory. -pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. -; Note: Used when pm is set to either 'static' or 'dynamic' -; Note: This value is mandatory. -pm.max_children = 40 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = 5 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 5 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 35 - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. By default, the status page shows the following -; information: -; accepted conn - the number of request accepted by the pool; -; pool - the name of the pool; -; process manager - static or dynamic; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes. -; The values of 'idle processes', 'active processes' and 'total processes' are -; updated each second. The value of 'accepted conn' is updated in real time. -; Example output: -; accepted conn: 12073 -; pool: www -; process manager: static -; idle processes: 35 -; active processes: 65 -; total processes: 100 -; By default the status page output is formatted as text/plain. Passing either -; 'html' or 'json' as a query string will return the corresponding output -; syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/php-fpm/www-slow.log - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. This value must be an absolute path. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -php_admin_value[error_log] = /var/log/php-fpm/engine-error.log -php_admin_flag[log_errors] = on -php_admin_value[memory_limit] = {{ engine_fpm_memory }} -php_admin_value[post_max_size] = 25M - -; Set session path to a directory owned by process user -php_value[session.save_handler] = files -php_value[session.save_path] = {{ php_session_dir }}/engine -php_value[disable_functions] = {{ php_disabled_functions }} diff --git a/roles/engineblock/templates/engine.conf.j2 b/roles/engineblock/templates/engine.conf.j2 deleted file mode 100644 index 6b7b769c1..000000000 --- a/roles/engineblock/templates/engine.conf.j2 +++ /dev/null @@ -1,56 +0,0 @@ -{% if apache_app_listen_address.engine is defined %} -Listen {{ apache_app_listen_address.engine }}:{{ loadbalancing.engine.port }} - -{% else %} - -{% endif %} - ServerAdmin {{ admin_email }} - - DocumentRoot {{ engine_current_release_symlink }}/web - ServerName {{ engine_domain }} - - - Require all granted - Options -MultiViews - RewriteEngine On - RewriteBase / - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ app{% if develop %}_dev{% endif %}.php [QSA,L] - - - Header always set X-Content-Type-Options "nosniff" - - SetEnv ENGINEBLOCK_ENV {{ engine_apache_environment }} - SetEnv SYMFONY_ENV {{ engine_apache_symfony_environment }} - SetEnv HTTPS on - - RewriteEngine On - # We support only GET/POST - RewriteCond %{REQUEST_METHOD} !^(POST|GET)$ - RewriteRule .* - [R=405,L] - - #Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/engine-pool-72.sock|fcgi://localhost/{{ engine_current_release_symlink }}/web/$1 - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-EB'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-EB'" combined - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - ExpiresActive on - ExpiresByType font/* "access plus 1 year" - ExpiresByType image/* "access plus 6 months" - ExpiresByType text/css "access plus 1 year" - ExpiresByType text/js "access plus 1 year" - diff --git a/roles/engineblock/templates/selenium-unit.j2 b/roles/engineblock/templates/selenium-unit.j2 deleted file mode 100644 index 29f943cfa..000000000 --- a/roles/engineblock/templates/selenium-unit.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Selenium test framework -After=syslog.target network.target - -[Service] -ExecStart=/usr/bin/java -jar {{ engineblock_selenium_install_dir }}/selenium/selenium-server-standalone-{{ engineblock_selenium_version }}.jar -Dwebdriver.chrome.driver={{ engineblock_selenium_install_dir }}/selenium/chromedriver & -Restart=on-failure -RestartSec=20s - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/engineblock/vars/docker.yml b/roles/engineblock/vars/main.yml similarity index 100% rename from roles/engineblock/vars/docker.yml rename to roles/engineblock/vars/main.yml From 7b690916eafa3ad57a5f618e89974d3441592745 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 22 Nov 2024 08:11:49 +0100 Subject: [PATCH 13/32] EB: Add no log option to tasks that would show the eb keys on screen --- roles/engineblock/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 0376bd638..492329c32 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -158,6 +158,7 @@ owner: root group: engine mode: "0440" + no_log: true loop: "{{ engine_key_and_certs }}" - name: Copy engineblock certificates to correct location @@ -167,6 +168,7 @@ owner: root group: engine mode: "0644" + no_log: true loop: "{{ engine_key_and_certs }}" - name: Create Docker volume to contain the sessions From c1eb2189c5d4a6c3762353a7a2f5b8636c511ea4 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 22 Nov 2024 08:12:20 +0100 Subject: [PATCH 14/32] EB: Add memory environment var --- roles/engineblock/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 492329c32..2189ad4c2 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -196,6 +196,7 @@ APACHE_UID: "#{{ engine_uid.uid }}" APACHE_GUID: "#{{ engine_guid.gid }}" TZ: "{{ timezone }}" + PHP_MEMORY_LIMIT: "{{ engine_php_memory }}" etc_hosts: host.docker.internal: host-gateway mounts: From 61e4c460721ca2704d829d421cfeb3a86ed5be30 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Sun, 24 Nov 2024 20:07:29 +0100 Subject: [PATCH 15/32] Engineblock: add default php memory setting --- roles/engineblock/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index c58a30d05..07f906d37 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -105,3 +105,5 @@ eb_tos_url: "https://example.org" engine_site_notice_show: false engineblock_log_attributes: [] + +engine_php_memory: 256M From 10354e717409b00d2192cb05379e68e8964b4443 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Nov 2024 08:09:28 +0100 Subject: [PATCH 16/32] Engineblock is moved to a seperate group. This allows running engineblock on seperate docker hosts --- provision.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/provision.yml b/provision.yml index 90b4bfcfb..f8e6b456c 100644 --- a/provision.yml +++ b/provision.yml @@ -164,10 +164,14 @@ - { role: stepupra , tags: ['stepupra' , 'stepup'] } - { role: stepupgateway , tags: ['stepupgateway' , 'stepup'] } -- hosts: docker +- hosts: docker_apps1,docker_apps2 become: true roles: - { role: docker, tags: ['docker' ] } + +- hosts: docker_apps1 + become: true + roles: - { role: invite, tags: ['invite' ] } - { role: dashboard, tags: ["dashboard"] } - { role: teams, tags: ["teams"] } @@ -183,8 +187,12 @@ - { role: diyidp, tags: ["diyidp"] } - { role: profile, tags: ["profile"] } - { role: lifecycle, tags: ["lifecycle"] } - - { role: engineblock, tags: ["eb"] } - { role: stepuptiqr, tags: ['stepuptiqr' , 'stepup'] } +- hosts: docker_apps2 + become: true + roles: + - { role: engineblock, tags: ["eb"] } + - import_playbook: "{{ environment_dir }}/playbook.yml" From 2030a8231fcc803cc5c13c6745acca83a5ea133a Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 14:42:39 +0100 Subject: [PATCH 17/32] Add small MariaDB docker role, for running on a single node --- roles/mariadbdocker/defaults/main.yml | 3 + roles/mariadbdocker/tasks/main.yml | 96 +++++++++++++++++++ .../templates/mariadb_backup.sh.j2 | 49 ++++++++++ 3 files changed, 148 insertions(+) create mode 100644 roles/mariadbdocker/defaults/main.yml create mode 100644 roles/mariadbdocker/tasks/main.yml create mode 100644 roles/mariadbdocker/templates/mariadb_backup.sh.j2 diff --git a/roles/mariadbdocker/defaults/main.yml b/roles/mariadbdocker/defaults/main.yml new file mode 100644 index 000000000..4a346be37 --- /dev/null +++ b/roles/mariadbdocker/defaults/main.yml @@ -0,0 +1,3 @@ +docker_mariadb_network_range: "172.21.21.0/24" +mysql_backup_user: backup_user +backup_node: True diff --git a/roles/mariadbdocker/tasks/main.yml b/roles/mariadbdocker/tasks/main.yml new file mode 100644 index 000000000..a50f3723a --- /dev/null +++ b/roles/mariadbdocker/tasks/main.yml @@ -0,0 +1,96 @@ +--- +- name: Create MariaDB volume + community.docker.docker_volume: + name: openconext_mariadb + state: present + +- name: Create MariaDB network + community.docker.docker_network: + name: openconext_mariadb + state: present + internal: false + ipam_config: + - subnet: "{{ docker_mariadb_network_range }}" + +- name: Create the MariaDB container + community.docker.docker_container: + name: openconext_mariadb + image: mariadb:10.6 + state: started + pull: true + restart_policy: "always" + ports: "127.0.0.1:3306:3306" + networks: + - name: "openconext_mariadb" + mounts: + - type: volume + source: openconext_mariadb + target: /var/lib/mysql + env: + MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}" + +- name: Create database + community.mysql.mysql_db: + name: "{{ item }}" + state: present + login_user: root + login_host: localhost + login_password: "{{ mariadb_root_password }}" + with_items: + - "{{ databases.names }}" + +- name: Create database user + community.mysql.mysql_user: + name: "{{ item[0].name }}" + host: "{{ item[1] }}" + password: "{{ item[0].password }}" + priv: "{{ item[0].db_name }}.*:{{ item[0].privilege }}" + state: present + append_privs: true + login_user: root + login_host: localhost + login_password: "{{ mariadb_root_password }}" + # no_log: true + with_nested: + - "{{ databases.users }}" + - "{{ database_clients }}" + +- name: Add mariadb backup user + community.mysql.mysql_user: + name: "{{ mysql_backup_user }}" + password: "{{ mysql_backup_password }}" + login_user: root + login_password: "{{ mariadb_root_password }}" + login_host: localhost + priv: "*.*:SELECT,RELOAD,PROCESS,LOCK TABLES,BINLOG MONITOR,CONNECTION ADMIN,SHOW VIEW" + state: present + # no_log: true + +- name: Create the backup directory + ansible.builtin.file: + path: /home/backup + state: directory + owner: root + group: root + mode: "0700" + when: + - backup_node | bool + +- name: Put mariadb_backup script + ansible.builtin.template: + src: "mariadb_backup.sh.j2" + dest: "/usr/local/sbin/mariadb_backup.sh" + mode: "0700" + owner: root + when: + - backup_node | bool + +- name: Create cron symlink for backup script + file: + src: /usr/local/sbin/mariadb_backup.sh + dest: /etc/cron.daily/db_backup + state: link + mode: 0700 + owner: root + when: + - backup_node | bool diff --git a/roles/mariadbdocker/templates/mariadb_backup.sh.j2 b/roles/mariadbdocker/templates/mariadb_backup.sh.j2 new file mode 100644 index 000000000..43efffdea --- /dev/null +++ b/roles/mariadbdocker/templates/mariadb_backup.sh.j2 @@ -0,0 +1,49 @@ +#!/bin/bash + +umask 0077 + +declare -x PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin + +MYSQL_USER="{{ mysql_backup_user }}" +MYSQL_PASS="{{ mysql_backup_password }}" +FOLDER="/home/backup" + +DAY=$(/bin/date +'%a') + +echo "-- Remove old backups --" +find /home/backup/ -type f -ctime +2 -delete + +echo "-- START new backups --" + +echo "SET autocommit=0;SET unique_checks=0;SET foreign_key_checks=0;" > tmp_sqlhead.sql +echo "SET autocommit=1;SET unique_checks=1;SET foreign_key_checks=1;" > tmp_sqlend.sql + +if [ -z "$1" ] + then + echo "-- Dumping all DB ..." + for I in $(docker exec openconext_mariadb mariadb -u $MYSQL_USER --password=$MYSQL_PASS -e 'show databases' -s --skip-column-names); + do + if [ "$I" = information_schema ] || [ "$I" = mysql ] || [ "$I" = sys ] || [ "$I" = performance_schema ] # exclude this DB + then + echo "-- Skip $I ..." + continue + fi + echo "-- Dumping $I ..." + # Pipe compress and concat the head/end with the stoutput of mysqlump ( '-' cat argument) + docker exec openconext_mariadb mysqldump -u $MYSQL_USER --password=$MYSQL_PASS $I | cat tmp_sqlhead.sql - tmp_sqlend.sql | gzip -fc > "$FOLDER/$DAY-$I.sql.gz" + done + +else + I=$1; + echo "-- Dumping $I ..." + # Pipe compress and concat the head/end with the stoutput of mysqlump ( '-' cat argument) + docker exec openconext_mariadb mysqldump -u $MYSQL_USER --password=$MYSQL_PASS $I | cat tmp_sqlhead.sql - tmp_sqlend.sql | gzip -fc > "$FOLDER/$DAY-$I.sql.gz" +fi + +# remove tmp files +rm tmp_sqlhead.sql +rm tmp_sqlend.sql + +echo "-- FINISH —" + +umask 0022 From 6cfc49eedbc43296041f44508485581fd6526dcc Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Fri, 29 Nov 2024 16:02:08 +0100 Subject: [PATCH 18/32] Overwrite apple-app-site-association for myconext --- roles/myconext/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index c5d424713..e37729542 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -46,6 +46,14 @@ notify: - "restart myconextserver" +- name: Copy apple-app-site-association from inventory + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/myconext/apple-app-site-association" + dest: "/opt/openconext/myconext/apple-app-site-association" + owner: "root" + group: "root" + mode: "0640" + - name: Copy / create APNS certificate ansible.builtin.copy: content: "{{ myconext_apns }}" @@ -153,6 +161,9 @@ - source: /opt/openconext/common/favicon.ico target: /var/www/favicon.ico type: bind + - source: /opt/openconext/myconext/apple-app-site-association + target: /var/www/.well-known/apple-app-site-association + type: bind env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" HTTPD_SERVERNAME: "mijn.{{ myconext_base_domain }}" From 0fe40fb5cb7d7a93729c2c92fe118df8c17b8ada Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Fri, 29 Nov 2024 16:13:10 +0100 Subject: [PATCH 19/32] Overwrite apple-app-site-association for myconext --- roles/myconext/tasks/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index e37729542..fc2145af9 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -161,9 +161,7 @@ - source: /opt/openconext/common/favicon.ico target: /var/www/favicon.ico type: bind - - source: /opt/openconext/myconext/apple-app-site-association - target: /var/www/.well-known/apple-app-site-association - type: bind + env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" HTTPD_SERVERNAME: "mijn.{{ myconext_base_domain }}" @@ -200,6 +198,9 @@ - source: /opt/openconext/common/favicon.ico target: /var/www/favicon.ico type: bind + - source: /opt/openconext/myconext/apple-app-site-association + target: /var/www/.well-known/apple-app-site-association + type: bind env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img_for_idp }}" From fdaf26bc232286b036d0a7f96d7c86ecd9642eff Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Fri, 29 Nov 2024 16:15:55 +0100 Subject: [PATCH 20/32] Overwrite apple-app-site-association for myconext - file rights --- roles/myconext/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index fc2145af9..c3559244e 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -52,7 +52,7 @@ dest: "/opt/openconext/myconext/apple-app-site-association" owner: "root" group: "root" - mode: "0640" + mode: "0644" - name: Copy / create APNS certificate ansible.builtin.copy: From 01f8d3e11fbd4894833274dbd9e63e966d3b1ecc Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 2 Dec 2024 10:53:06 +0100 Subject: [PATCH 21/32] EB: Run the container handler only when the docker task has not restarted it already --- roles/engineblock/handlers/main.yml | 1 + roles/engineblock/tasks/main.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/engineblock/handlers/main.yml b/roles/engineblock/handlers/main.yml index 6ab193b9f..562fae00c 100644 --- a/roles/engineblock/handlers/main.yml +++ b/roles/engineblock/handlers/main.yml @@ -4,3 +4,4 @@ name: engine state: started restart: true + when: ebcontainer is success and ebcontainer is not change diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 2189ad4c2..226d2f815 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -196,7 +196,7 @@ APACHE_UID: "#{{ engine_uid.uid }}" APACHE_GUID: "#{{ engine_guid.gid }}" TZ: "{{ timezone }}" - PHP_MEMORY_LIMIT: "{{ engine_php_memory }}" + PHP_MEMORY_LIMIT: "{{ engine_php_memory }}" etc_hosts: host.docker.internal: host-gateway mounts: @@ -230,3 +230,4 @@ - source: engineblock_sessions target: /tmp/ type: volume + register: ebcontainer From ebdde8807e83b9c3d9cfe0c7c98f78f4e02740c9 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 2 Dec 2024 10:27:28 +0100 Subject: [PATCH 22/32] All apps that have a MariaDB connection now have the ability to use an internal Docker network to connect to a local MariaDB host in Docker --- roles/attribute-aggregation/defaults/main.yml | 2 ++ roles/attribute-aggregation/tasks/main.yml | 10 ++++++++-- roles/engineblock/defaults/main.yml | 2 ++ roles/engineblock/tasks/main.yml | 10 ++++++++-- roles/invite/defaults/main.yml | 2 ++ roles/invite/tasks/main.yml | 15 ++++++++++----- roles/lifecycle/defaults/main.yml | 2 ++ roles/lifecycle/tasks/main.yml | 10 ++++++++-- roles/manage/defaults/main.yml | 2 ++ roles/manage/tasks/main.yml | 10 ++++++++-- roles/pdp/defaults/main.yml | 2 ++ roles/pdp/tasks/main.yml | 12 +++++++++--- roles/spdashboard/defaults/main.yml | 2 ++ roles/spdashboard/tasks/main.yml | 12 +++++++----- roles/stepupgateway/defaults/main.yml | 2 ++ roles/stepupgateway/tasks/main.yml | 10 ++++++++-- roles/stepupmiddleware/defaults/main.yml | 2 ++ roles/stepupmiddleware/tasks/docker.yml | 10 ++++++++-- roles/stepuptiqr/defaults/main.yml | 2 ++ roles/stepuptiqr/tasks/main.yml | 14 ++++++++++---- roles/stepupwebauthn/defaults/main.yml | 2 ++ roles/stepupwebauthn/tasks/main.yml | 10 ++++++++-- roles/teams/defaults/main.yml | 4 +++- roles/teams/tasks/main.yml | 10 ++++++++-- 24 files changed, 125 insertions(+), 34 deletions(-) create mode 100644 roles/stepupgateway/defaults/main.yml create mode 100644 roles/stepupmiddleware/defaults/main.yml create mode 100644 roles/stepuptiqr/defaults/main.yml create mode 100644 roles/stepupwebauthn/defaults/main.yml diff --git a/roles/attribute-aggregation/defaults/main.yml b/roles/attribute-aggregation/defaults/main.yml index c8fa91b23..d5bae0b6e 100644 --- a/roles/attribute-aggregation/defaults/main.yml +++ b/roles/attribute-aggregation/defaults/main.yml @@ -9,3 +9,5 @@ aa_manage_provision_oidcrp_description_en: "OAuth client to access VOOT for grou aa_manage_provision_oidcrp_grants: "client_credentials" aa_manage_provision_oidcrp_allowed_resource_servers: '{"name": "{{ voot.oidcng_checkToken_clientId }}"}' aa_spring_flyway_enabled: true +aa_docker_networks: + - name: loadbalancer diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml index ab79fefe6..eded44567 100644 --- a/roles/attribute-aggregation/tasks/main.yml +++ b/roles/attribute-aggregation/tasks/main.yml @@ -21,6 +21,13 @@ - apachelink.conf notify: restart attribute-aggregationserver +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + aa_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: aaserver @@ -28,8 +35,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ aa_docker_networks }}" mounts: - source: /opt/openconext/attribute-aggregation/serverapplication.yml target: /application.yml diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 07f906d37..f267d051d 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -107,3 +107,5 @@ engine_site_notice_show: false engineblock_log_attributes: [] engine_php_memory: 256M +engine_docker_networks: + - name: loadbalancer diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 2189ad4c2..7724de46e 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -176,14 +176,20 @@ name: engineblock_sessions state: present +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + engine_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "engineblock" image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:{{ engine_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ engine_docker_networks}}" labels: traefik.http.routers.engine.rule: "Host(`engine.{{ base_domain }}`)" traefik.http.routers.engine.service: "engineblock" diff --git a/roles/invite/defaults/main.yml b/roles/invite/defaults/main.yml index 60e35df36..71b3c9b3e 100644 --- a/roles/invite/defaults/main.yml +++ b/roles/invite/defaults/main.yml @@ -15,3 +15,5 @@ invite_manage_provision_oauth_rs_scopes: "openid" invite_mock_install: false # Override is in the dockerX.env host_var files invite_cronjobmaster: true +invite_docker_networks: + - name: loadbalancer diff --git a/roles/invite/tasks/main.yml b/roles/invite/tasks/main.yml index a0b4b7232..06142a85e 100644 --- a/roles/invite/tasks/main.yml +++ b/roles/invite/tasks/main.yml @@ -48,6 +48,13 @@ when: invite_mock_install notify: restart inviteprovisioningmock +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + invite_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: inviteserver @@ -57,8 +64,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ invite_docker_networks }}" mounts: - source: /opt/openconext/invite/serverapplication.yml target: /application.yml @@ -80,7 +86,6 @@ start_period: 10s register: inviteservercontainer - - name: Create the client container community.docker.docker_container: name: inviteclient @@ -133,6 +138,7 @@ env: HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" + - name: Create and start the mock provisioning container community.docker.docker_container: name: inviteprovisioningmock @@ -148,8 +154,7 @@ - source: /etc/localtime target: /etc/localtime type: bind - networks: - - name: "loadbalancer" + networks: "{{ invite_docker_networks }}" labels: traefik.http.routers.invitemock.rule: "Host(`mock.{{ base_domain }}`)" traefik.http.routers.invitemock.tls: "true" diff --git a/roles/lifecycle/defaults/main.yml b/roles/lifecycle/defaults/main.yml index 1338bd91c..cdf563af1 100644 --- a/roles/lifecycle/defaults/main.yml +++ b/roles/lifecycle/defaults/main.yml @@ -11,3 +11,5 @@ lifecycle_api_enabled: true lifecycle_api_password: secret lifecycle_api_username: lifecycle current_release_config_dir_name: /opt/openconext/{{ appname }} +lifecycle_docker_networks: + - name: loadbalancer diff --git a/roles/lifecycle/tasks/main.yml b/roles/lifecycle/tasks/main.yml index 011a3f3aa..102dcccbb 100644 --- a/roles/lifecycle/tasks/main.yml +++ b/roles/lifecycle/tasks/main.yml @@ -33,6 +33,13 @@ notify: - restart {{ appname }} +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + lifecycle_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" @@ -41,8 +48,7 @@ host.docker.internal: host-gateway pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ lifecycle_docker_networks }}" labels: traefik.http.routers.lifecycle.rule: "Host(`lifecycle.{{ base_domain }}`)" traefik.http.routers.lifecycle.tls: "true" diff --git a/roles/manage/defaults/main.yml b/roles/manage/defaults/main.yml index ef5c4271d..a2de6442d 100644 --- a/roles/manage/defaults/main.yml +++ b/roles/manage/defaults/main.yml @@ -30,3 +30,5 @@ manage_tabs_enabled: - single_tenant_template - provisioning - sram +manage_docker_networks: + - name: loadbalancer diff --git a/roles/manage/tasks/main.yml b/roles/manage/tasks/main.yml index 9a4132c42..292744a11 100644 --- a/roles/manage/tasks/main.yml +++ b/roles/manage/tasks/main.yml @@ -72,6 +72,13 @@ notify: - "restart manageserver" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + manage_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: manageserver @@ -80,8 +87,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ manage_docker_networks}}" mounts: - source: /opt/openconext/manage/ target: /config/ diff --git a/roles/pdp/defaults/main.yml b/roles/pdp/defaults/main.yml index 4f548db6a..687f5f5ee 100644 --- a/roles/pdp/defaults/main.yml +++ b/roles/pdp/defaults/main.yml @@ -21,3 +21,5 @@ pdp_manage_provision_samlsp_trusted_proxy: false pdp_manage_provision_samlsp_sign: false pdp_spring_flyway_enabled: true pdp_manage_push_testmode: true +pdp_docker_networks: + -name: loadbalancer diff --git a/roles/pdp/tasks/main.yml b/roles/pdp/tasks/main.yml index b1e81edaf..086a6b0f1 100644 --- a/roles/pdp/tasks/main.yml +++ b/roles/pdp/tasks/main.yml @@ -20,6 +20,13 @@ - xacml.conext.properties notify: restart pdpserver +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + pdp_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: pdpserver @@ -29,8 +36,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ pdp_docker_networks }}" mounts: - source: /opt/openconext/pdp/serverapplication.properties target: /application.properties @@ -59,7 +65,7 @@ retries: 3 start_period: 10s register: pdpservercontainer - + - name: Create the gui container community.docker.docker_container: name: pdpgui diff --git a/roles/spdashboard/defaults/main.yml b/roles/spdashboard/defaults/main.yml index 9548590a0..bb1c0f3c5 100644 --- a/roles/spdashboard/defaults/main.yml +++ b/roles/spdashboard/defaults/main.yml @@ -37,3 +37,5 @@ spdashboard_oidcng_playground_uri_test: https://oidc-playground.dev.support.surf spdashboard_oidcng_playground_uri_prod: https://oidc-playground.dev.support.surfconext.nl/redirect spdashboard_show_global_notice: False spdashboard_global_notice_date: "01-01-2020" +spdashboard_docker_networks: + - name: loadbalancer diff --git a/roles/spdashboard/tasks/main.yml b/roles/spdashboard/tasks/main.yml index f6cfbaaab..d11b11edd 100644 --- a/roles/spdashboard/tasks/main.yml +++ b/roles/spdashboard/tasks/main.yml @@ -15,9 +15,12 @@ group: root mode: 0644 -- name: Create the spdashboard container network - docker_network: - name: "spdashboard" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + spdashboard_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool - name: Create the container docker_container: @@ -26,8 +29,7 @@ env_file: "/opt/openconext/spdashboard/env" pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ spdashboard_docker_networks }}" labels: traefik.http.routers.spdashboard.rule: "Host(`{{ spdashboard_domain }}`)" traefik.http.routers.spdashboard.tls: "true" diff --git a/roles/stepupgateway/defaults/main.yml b/roles/stepupgateway/defaults/main.yml new file mode 100644 index 000000000..fc9eb42f3 --- /dev/null +++ b/roles/stepupgateway/defaults/main.yml @@ -0,0 +1,2 @@ +gateway_docker_networks: + - name: loadbalancer diff --git a/roles/stepupgateway/tasks/main.yml b/roles/stepupgateway/tasks/main.yml index fe01380d9..f101649d8 100644 --- a/roles/stepupgateway/tasks/main.yml +++ b/roles/stepupgateway/tasks/main.yml @@ -109,14 +109,20 @@ owner: "{{ appname }}" mode: "0600" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + gateway_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-gateway/stepup-gateway:{{ gateway_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ gateway_docker_networks }}" labels: traefik.http.routers.gateway.rule: "Host(`{{ gateway_vhost_name }}`)" traefik.http.routers.gateway.tls: "true" diff --git a/roles/stepupmiddleware/defaults/main.yml b/roles/stepupmiddleware/defaults/main.yml new file mode 100644 index 000000000..a9bed70fa --- /dev/null +++ b/roles/stepupmiddleware/defaults/main.yml @@ -0,0 +1,2 @@ +middelware_docker_networks: + - name: loadbalancer diff --git a/roles/stepupmiddleware/tasks/docker.yml b/roles/stepupmiddleware/tasks/docker.yml index 443ecd4b7..48eba81bd 100644 --- a/roles/stepupmiddleware/tasks/docker.yml +++ b/roles/stepupmiddleware/tasks/docker.yml @@ -36,14 +36,20 @@ notify: - restart {{ appname }} +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + middelware_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-middleware/stepup-middleware:{{ middleware_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ middelware_docker_networks }}" labels: traefik.http.routers.middleware.rule: "Host(`{{ middleware_vhost_name }}`)" traefik.http.routers.middleware.tls: "true" diff --git a/roles/stepuptiqr/defaults/main.yml b/roles/stepuptiqr/defaults/main.yml new file mode 100644 index 000000000..9ebaecc27 --- /dev/null +++ b/roles/stepuptiqr/defaults/main.yml @@ -0,0 +1,2 @@ +tiqr_docker_networks: + - name: loadbalancer diff --git a/roles/stepuptiqr/tasks/main.yml b/roles/stepuptiqr/tasks/main.yml index dfed7faf2..52608184d 100644 --- a/roles/stepuptiqr/tasks/main.yml +++ b/roles/stepuptiqr/tasks/main.yml @@ -45,11 +45,11 @@ when: tiqr_apns_pemfile is defined - name: Write tiqr Firebase service json - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/secrets/stepup/tiqr-demo.json" dest: "{{ current_release_config_file_dir_name }}/tiqr-demo.json" owner: "{{ appname }}" - mode: 0400 + mode: "0400" when: tiqr_firebase_credentialsfile is defined - name: Place parameters.yml @@ -62,14 +62,20 @@ notify: - restart tiqr +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + tiqr_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-tiqr/stepup-tiqr:{{ tiqr_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ tiqr_docker_networks }}" labels: traefik.http.routers.tiqr.rule: "Host(`tiqr.{{ base_domain }}`)" traefik.http.routers.tiqr.tls: "true" diff --git a/roles/stepupwebauthn/defaults/main.yml b/roles/stepupwebauthn/defaults/main.yml new file mode 100644 index 000000000..98c9f7204 --- /dev/null +++ b/roles/stepupwebauthn/defaults/main.yml @@ -0,0 +1,2 @@ +webauthn_docker_networks: + - name: loadbalancer diff --git a/roles/stepupwebauthn/tasks/main.yml b/roles/stepupwebauthn/tasks/main.yml index 0e63f21e6..a0bfbb3d1 100644 --- a/roles/stepupwebauthn/tasks/main.yml +++ b/roles/stepupwebauthn/tasks/main.yml @@ -97,14 +97,20 @@ with_items: - "01-webauthn-db_init.sh" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + webauthn_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-webauthn/stepup-webauthn:{{ webauthn_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ webauthn_docker_networks }}" labels: traefik.http.routers.webauthn.rule: "Host(`webauthn.{{ base_domain }}`)" traefik.http.routers.webauthn.tls: "true" diff --git a/roles/teams/defaults/main.yml b/roles/teams/defaults/main.yml index c88534d92..60d344650 100644 --- a/roles/teams/defaults/main.yml +++ b/roles/teams/defaults/main.yml @@ -8,7 +8,7 @@ teams_tos_en: https://example.org teams_tos_nl: https://example.org teams_tos_pt: https://example.org teams_main_link: https://www.openconext.org -teams_organization: "{{ instance_name}}" +teams_organization: "{{ instance_name }}" teams_api_lifecycle_username: teams_api_lifecycle_user teams_oauth2_token_url: "https://connect.{{ base_domain }}/oidc/token" teams_authz_client_id: "teams.{{ base_domain }}" @@ -27,3 +27,5 @@ teams_manage_provision_samlsp_sp_cert: "" teams_manage_provision_samlsp_trusted_proxy: false teams_manage_provision_samlsp_sign: false teams_spring_flyway_enabled: true +teams_docker_networks: + - name: "loadbalancer" diff --git a/roles/teams/tasks/main.yml b/roles/teams/tasks/main.yml index 7561fe6bb..2e250d0af 100644 --- a/roles/teams/tasks/main.yml +++ b/roles/teams/tasks/main.yml @@ -19,6 +19,13 @@ - logback.xml notify: restart teamsserver +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + teams_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: teamsserver @@ -28,8 +35,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ teams_docker_networks }}" mounts: - source: /opt/openconext/teams/serverapplication.yml target: /application.yml From ec015720b018b5ab3ddb2ecc7df0477155d704aa Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 2 Dec 2024 10:32:51 +0100 Subject: [PATCH 23/32] Mariadb docker: Add a mariadb config file --- roles/mariadbdocker/files/settings.cnf | 2 ++ roles/mariadbdocker/tasks/main.yml | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 roles/mariadbdocker/files/settings.cnf diff --git a/roles/mariadbdocker/files/settings.cnf b/roles/mariadbdocker/files/settings.cnf new file mode 100644 index 000000000..84a706c29 --- /dev/null +++ b/roles/mariadbdocker/files/settings.cnf @@ -0,0 +1,2 @@ +[mariadb] +sql_mode=NO_ENGINE_SUBSTITUTION diff --git a/roles/mariadbdocker/tasks/main.yml b/roles/mariadbdocker/tasks/main.yml index a50f3723a..cd748f83f 100644 --- a/roles/mariadbdocker/tasks/main.yml +++ b/roles/mariadbdocker/tasks/main.yml @@ -3,6 +3,21 @@ community.docker.docker_volume: name: openconext_mariadb state: present +- name: Create MariaDB config dir + ansible.builtin.file: + path: /opt/openconext/mariadb/ + owner: root + group: root + mode: "0755" + state: directory + +- name: Copy mariadb config file + ansible.builtin.copy: + src: settings.cnf + dest: /opt/openconext/mariadb/settings.cnf + owner: root + group: root + mode: "0644" - name: Create MariaDB network community.docker.docker_network: @@ -26,6 +41,9 @@ - type: volume source: openconext_mariadb target: /var/lib/mysql + - type: bind + source: /opt/openconext/mariadb/settings.cnf + target: /etc/mysql/conf.d/settings.cnf env: MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}" From fa109b3f5731b241ad7331a7c8ec61ebba39994a Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 4 Dec 2024 14:19:17 +0100 Subject: [PATCH 24/32] Added ribbon env variables for myconext --- roles/myconext/templates/application.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 2502621b8..0c99f6c9f 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -223,6 +223,11 @@ spring: main: banner-mode: "off" +gui: + disclaimer: + background-color: {{ environment_ribbon_colour }} + content: {{ environment_shortname }} + # We disable all endpoints except health for the load-balancer and info for git information. management: health: From 67f75e7991b4c72190fbcdb62903f4711e73deff Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 4 Dec 2024 15:24:14 +0100 Subject: [PATCH 25/32] https://github.com/OpenConext/OpenConext-myconext/issues/545 --- environments/template/group_vars/template.yml | 1 + environments/vm/group_vars/vm.yml | 1 + roles/myconext/templates/application.yml.j2 | 5 ++++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 3374a4b90..4802bd2d6 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -419,6 +419,7 @@ myconext: feature_show_connections: false feature_id_verify: true feature_remote_creation_api: true + feature_mail_institution_mail_usage: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index e22fea2dd..ecab6e6de 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -310,6 +310,7 @@ myconext: feature_warning_educational_email_domain: false feature_id_verify: true feature_remote_creation_api: true + feature_mail_institution_mail_usage: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 0c99f6c9f..61c9597c1 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -55,6 +55,8 @@ cron: token-cleaner-expression: "0 0/15 * * * *" manage-initial-delay-milliseconds: 15000 manage-fixed-rate-milliseconds: 300_000 + # Runs on the first day of February, May, August, and November. + mail-institution-mail-usage-expression: "0 0 0 1 2,5,8,11 *" manage: username: myconext @@ -103,7 +105,8 @@ feature: remote_creation_api: {{ myconext.feature_remote_creation_api }} # Do we send error mails for reported errors by the JS UI send_js_exceptions: {{ myconext.feature_send_js_exceptions }} - + # Do we periodically mail users who have used their institution account + mail_institution_mail_usage: {{ myconext.feature_mail_institution_mail_usage }} secure_cookie: true idp_entity_id: https://login.{{ myconext_base_domain }} From beb5f380b0528fb424b77d1ab65fe134c9b94499 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Thu, 5 Dec 2024 14:25:08 +0100 Subject: [PATCH 26/32] https://github.com/OpenConext/OpenConext-myconext/issues/547 --- environments/template/group_vars/template.yml | 1 + environments/vm/group_vars/vm.yml | 1 + roles/myconext/templates/application.yml.j2 | 6 ++++++ 3 files changed, 8 insertions(+) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 4802bd2d6..0512e06fc 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -420,6 +420,7 @@ myconext: feature_id_verify: true feature_remote_creation_api: true feature_mail_institution_mail_usage: true + feature_nudge_app_mail: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index ecab6e6de..ad0cb3160 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -311,6 +311,7 @@ myconext: feature_id_verify: true feature_remote_creation_api: true feature_mail_institution_mail_usage: true + feature_nudge_app_mail: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 61c9597c1..4b180a428 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -57,6 +57,10 @@ cron: manage-fixed-rate-milliseconds: 300_000 # Runs on the first day of February, May, August, and November. mail-institution-mail-usage-expression: "0 0 0 1 2,5,8,11 *" + # Every day at 6:30AM + nudge-app-mail-expression: "0 30 6 * * ?" + # Number of days after creation of the eduID account which the nudge mail is send + nudge-app-mail-days-after-creation: 14 manage: username: myconext @@ -107,6 +111,8 @@ feature: send_js_exceptions: {{ myconext.feature_send_js_exceptions }} # Do we periodically mail users who have used their institution account mail_institution_mail_usage: {{ myconext.feature_mail_institution_mail_usage }} + # Do we mail users who have not installed the eduID app + nudge_app_mail: {{ myconext.feature_nudge_app_mail }} secure_cookie: true idp_entity_id: https://login.{{ myconext_base_domain }} From 0399d42789f4e7ed76645d900d2934a1136597e4 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Thu, 5 Dec 2024 14:41:40 +0100 Subject: [PATCH 27/32] Fix stepup-webauthn logo location --- roles/stepupwebauthn/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/stepupwebauthn/tasks/main.yml b/roles/stepupwebauthn/tasks/main.yml index a0bfbb3d1..a1738fc01 100644 --- a/roles/stepupwebauthn/tasks/main.yml +++ b/roles/stepupwebauthn/tasks/main.yml @@ -119,8 +119,8 @@ APACHE_UID: "#{{ webauthn_uid.uid }}" APACHE_GUID: "#{{ webauthn_guid.gid }}" mounts: - - source: /opt/openconext/webauthn/public/images/header-logo.png - target: /var/www/html/public/build/images/logo/header-logo.png + - source: /opt/openconext/azuremfa/public/images/header-logo.png + target: /var/www/html/public/build/images/header-logo.png type: bind - source: /opt/openconext/webauthn target: /var/www/html/config/openconext From 1cb30d8a1b7ed14aebf7889d90f5fc3444f113c4 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Mon, 9 Dec 2024 10:12:29 +0100 Subject: [PATCH 28/32] Stepup-webauthn Fix image path --- roles/stepupwebauthn/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/stepupwebauthn/tasks/main.yml b/roles/stepupwebauthn/tasks/main.yml index a1738fc01..2a51ac91f 100644 --- a/roles/stepupwebauthn/tasks/main.yml +++ b/roles/stepupwebauthn/tasks/main.yml @@ -119,7 +119,7 @@ APACHE_UID: "#{{ webauthn_uid.uid }}" APACHE_GUID: "#{{ webauthn_guid.gid }}" mounts: - - source: /opt/openconext/azuremfa/public/images/header-logo.png + - source: /opt/openconext/webauthn/public/images/header-logo.png target: /var/www/html/public/build/images/header-logo.png type: bind - source: /opt/openconext/webauthn From ddf04a368344f2495ab9c1aee61d62b8dd49cb15 Mon Sep 17 00:00:00 2001 From: Pieter van der Meulen Date: Tue, 10 Dec 2024 10:18:20 +0100 Subject: [PATCH 29/32] Add activation flow sellection using entitlement attribute for selfservice 5.0.5 --- roles/stepupselfservice/templates/parameters.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/stepupselfservice/templates/parameters.yml.j2 b/roles/stepupselfservice/templates/parameters.yml.j2 index cb2f25759..54c6e1bb3 100644 --- a/roles/stepupselfservice/templates/parameters.yml.j2 +++ b/roles/stepupselfservice/templates/parameters.yml.j2 @@ -89,6 +89,11 @@ parameters: preferred_activation_flow_name: activate preferred_activation_flow_options: [ra, self] + activation_flow_attribute_name: urn:mace:dir:attribute-def:eduPersonEntitlement + activation_flow_attributes: + ra: urn:mace:surf.nl:surfsecureid:activation:ra + self: urn:mace:surf.nl:surfsecureid:activation:self + # Self-asserted tokens: enable/disable recovery methods # # One of the two options should be enabled to have a fully functioning From 5f77f8ec83e47f311cf52f8b4eaead74a962051e Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 11 Dec 2024 10:15:41 +0100 Subject: [PATCH 30/32] https://github.com/OpenConext/OpenConext-myconext/issues/606 --- environments/template/group_vars/template.yml | 1 + environments/vm/group_vars/vm.yml | 1 + roles/myconext/templates/application.yml.j2 | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 0512e06fc..5093e0f92 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -420,6 +420,7 @@ myconext: feature_id_verify: true feature_remote_creation_api: true feature_mail_institution_mail_usage: true + feature_mail_inactivity_mails: true feature_nudge_app_mail: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index ad0cb3160..1ed11a8a1 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -311,6 +311,7 @@ myconext: feature_id_verify: true feature_remote_creation_api: true feature_mail_institution_mail_usage: true + feature_mail_inactivity_mails: true feature_nudge_app_mail: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 4b180a428..66ac68c53 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -61,6 +61,8 @@ cron: nudge-app-mail-expression: "0 30 6 * * ?" # Number of days after creation of the eduID account which the nudge mail is send nudge-app-mail-days-after-creation: 14 + # Every day at 7:30AM + inactivity-users-expression: "0 30 7 * * ?" manage: username: myconext @@ -111,6 +113,8 @@ feature: send_js_exceptions: {{ myconext.feature_send_js_exceptions }} # Do we periodically mail users who have used their institution account mail_institution_mail_usage: {{ myconext.feature_mail_institution_mail_usage }} + # Do we periodically mail users who are inactive and might have their account deleted + mail_inactivity_mails: {{ myconext.feature_mail_inactivity_mails }} # Do we mail users who have not installed the eduID app nudge_app_mail: {{ myconext.feature_nudge_app_mail }} From cdb57e463b9e4777765d509612709718d5d42b75 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Fri, 13 Dec 2024 14:36:30 +0100 Subject: [PATCH 31/32] MANAGE: add `coin:disable_scoping` by defualt for new IdPs (closes OpenConext/OpenConext-Manage#458) --- roles/manage/files/metadata_templates/saml20_idp.template.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/manage/files/metadata_templates/saml20_idp.template.json b/roles/manage/files/metadata_templates/saml20_idp.template.json index 8698863f2..3c29ee713 100644 --- a/roles/manage/files/metadata_templates/saml20_idp.template.json +++ b/roles/manage/files/metadata_templates/saml20_idp.template.json @@ -9,7 +9,8 @@ "name:en": "", "OrganizationName:en": "", "SingleSignOnService:0:Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", - "SingleSignOnService:0:Location": "" + "SingleSignOnService:0:Location": "", + "coin:disable_scoping": true }, "autoRefresh": { "enabled": true, From e9ec11dd8ad3f62ea55c663f97b802a0768bccc7 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Mon, 16 Dec 2024 17:32:03 +0100 Subject: [PATCH 32/32] add dependabot got github-actions --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..23c4cb3b5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +--- +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly"