diff --git a/group_vars/all.yml b/group_vars/all.yml index 688cc2c..d927416 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -49,7 +49,7 @@ vpc_availability_zone: ssh_bastion_instance_type: t2.nano # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/ -ssh_bastion_ami_id: ami-066ac52b0a91f4138 +ssh_bastion_ami_id: ami-0c1b4dff690b5d229 ssh_bastion_user: admin ssh_bastion_device_name: /dev/xvda ssh_bastion_volume_type: gp2 @@ -57,7 +57,7 @@ ssh_bastion_volume_size: 10 idp_node_instance_type: t2.small # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/ -idp_node_ami_id: ami-066ac52b0a91f4138 +idp_node_ami_id: ami-0c1b4dff690b5d229 idp_node_user: admin idp_node_device_name: /dev/xvda idp_node_volume_type: gp2 @@ -67,15 +67,15 @@ training_node_count: 2 training_node_instance_type: t2.small # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/ -training_node_ami_id: ami-066ac52b0a91f4138 +training_node_ami_id: ami-0c1b4dff690b5d229 training_node_user: admin training_node_device_name: /dev/xvda training_node_volume_type: gp2 training_node_volume_size: 20 # Docker version -docker_ce_package_version: "5:20.10.20~3-0~debian-bullseye" -docker_ce_cli_package_version: "5:20.10.20~3-0~debian-bullseye" -containerd_io_package_version: "1.6.8-1" +docker_ce_package_version: "5:23.0.1-1~debian.11~bullseye" +docker_ce_cli_package_version: "5:23.0.1-1~debian.11~bullseye" +containerd_io_package_version: "1.6.18-1" diff --git a/roles/training/files/comanage-match-stack.yml b/roles/training/files/comanage-match-stack.yml new file mode 100644 index 0000000..063c51d --- /dev/null +++ b/roles/training/files/comanage-match-stack.yml @@ -0,0 +1,82 @@ +version: '3.7' + +services: + + matchdatabase: + image: postgres:14.7 + volumes: + - /srv/docker/var/lib/postgresql/data:/var/lib/postgresql/data + - /srv/docker/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d + environment: + - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password + - COMANAGE_MATCH_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_match_database_user_password + secrets: + - comanage_match_database_user_password + - postgres_password + deploy: + replicas: 1 + logging: + driver: journald + options: + tag: "postgresql-{{.Name}}" + + match: + image: i2incommon/comanage-match:1.1.0-internet2-tap-1 + volumes: + - /srv/docker/srv/comanage-match/local:/srv/comanage-match/local + - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml + - /srv/docker/etc/shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml + - /srv/docker/etc/shibboleth/idp-metadata.xml:/etc/shibboleth/idp-metadata.xml + - /srv/docker/etc/httpd/conf.d/000-comanagematch.conf:/etc/httpd/conf.d/000-comanage.conf + environment: + - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Carla + - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Woo + - COMANAGE_MATCH_ADMIN_USERNAME=carla.woo@comanage.incommon.training + - COMANAGE_MATCH_DATASOURCE=Database/Postgres + - COMANAGE_MATCH_DATABASE=match + - COMANAGE_MATCH_DATABASE_HOST=matchdatabase + - COMANAGE_MATCH_DATABASE_USER=match_user + - COMANAGE_MATCH_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_match_database_user_password + - COMANAGE_MATCH_EMAIL_TRANSPORT=Smtp + - COMANAGE_MATCH_EMAIL_HOST=tls://smtp.gmail.com + - COMANAGE_MATCH_EMAIL_PORT=465 + - COMANAGE_MATCH_EMAIL_ACCOUNT=comanagetraining@gmail.com + - COMANAGE_MATCH_EMAIL_ACCOUNT_PASSWORD_FILE=/run/secrets/comanage_registry_email_account_password + - COMANAGE_MATCH_EMAIL_FROM_EMAIL=comanagetraining@gmail.com + - COMANAGE_MATCH_EMAIL_FROM_NAME=Match + - SHIBBOLETH_SP_ENCRYPT_CERT=/run/secrets/shibboleth_sp_encrypt_cert + - SHIBBOLETH_SP_ENCRYPT_PRIVKEY=/run/secrets/shibboleth_sp_encrypt_privkey + - SHIBBOLETH_SP_SIGNING_CERT=/run/secrets/shibboleth_sp_signing_cert + - SHIBBOLETH_SP_SIGNING_PRIVKEY=/run/secrets/shibboleth_sp_signing_privkey + secrets: + - comanage_match_database_user_password + - comanage_registry_email_account_password + - shibboleth_sp_encrypt_cert + - shibboleth_sp_encrypt_privkey + - shibboleth_sp_signing_cert + - shibboleth_sp_signing_privkey + ports: + - "80:80" + deploy: + replicas: 1 + logging: + driver: journald + options: + tag: "match_{{.Name}}" + + +secrets: + comanage_registry_email_account_password: + external: true + shibboleth_sp_encrypt_cert: + external: true + shibboleth_sp_encrypt_privkey: + external: true + shibboleth_sp_signing_cert: + external: true + shibboleth_sp_signing_privkey: + external: true + comanage_match_database_user_password: + external: true + postgres_password: + external: true diff --git a/roles/training/files/comanage-registry-stack.yml b/roles/training/files/comanage-registry-stack.yml index 2af0476..53c0bc5 100644 --- a/roles/training/files/comanage-registry-stack.yml +++ b/roles/training/files/comanage-registry-stack.yml @@ -1,8 +1,8 @@ -version: '3.7' +version: '3.8' services: database: - image: mariadb:10.4.22 + image: mariadb:10.4.28 volumes: - /srv/docker/var/lib/mysql:/var/lib/mysql environment: @@ -21,7 +21,7 @@ services: tag: "mariadb-{{.Name}}" campusdatabase: - image: mariadb:10.4.22 + image: mariadb:10.4.28 volumes: - /srv/docker/var/lib/campussql:/var/lib/mysql environment: @@ -40,7 +40,7 @@ services: tag: "mariadb-{{.Name}}" registry: - image: i2incommon/comanage-registry:4.0.2-20220223 + image: i2incommon/comanage-registry:4.1.1-20230202 volumes: - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml @@ -48,9 +48,9 @@ services: - /srv/docker/etc/shibboleth/idp-metadata.xml:/etc/shibboleth/idp-metadata.xml - /srv/docker/etc/httpd/conf.d/000-comanage.conf:/etc/httpd/conf.d/000-comanage.conf environment: - - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME= - - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME= - - COMANAGE_REGISTRY_ADMIN_USERNAME= + - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Carla + - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Woo + - COMANAGE_REGISTRY_ADMIN_USERNAME=carla.woo@comanage.incommon.training - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql - COMANAGE_REGISTRY_DATABASE=registry - COMANAGE_REGISTRY_DATABASE_HOST=database @@ -85,7 +85,7 @@ services: tag: "registry_{{.Name}}" cron: - image: i2incommon/comanage-registry-cron:4.0.2-20220223 + image: i2incommon/comanage-registry-cron:4.1.1-20230202 volumes: - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local environment: @@ -115,7 +115,7 @@ services: - olc_root_pw - olc_root_dn_password ports: - - "389:389" + - "389:389" deploy: replicas: 1 logging: diff --git a/roles/training/files/init-user-db.sh b/roles/training/files/init-user-db.sh new file mode 100755 index 0000000..59df0bb --- /dev/null +++ b/roles/training/files/init-user-db.sh @@ -0,0 +1,14 @@ +#!/bin/bash -x +set -e + +declare COMANAGE_MATCH_DATABASE_USER_PASSWORD=$(< ${COMANAGE_MATCH_DATABASE_USER_PASSWORD_FILE}) + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER match_user PASSWORD '${COMANAGE_MATCH_DATABASE_USER_PASSWORD}'; + CREATE DATABASE match; + GRANT ALL PRIVILEGES ON DATABASE match TO match_user; +EOSQL + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname match <<-EOSQL + CREATE EXTENSION fuzzystrmatch; +EOSQL diff --git a/roles/training/tasks/main.yml b/roles/training/tasks/main.yml index 6c091cc..ddbb8df 100644 --- a/roles/training/tasks/main.yml +++ b/roles/training/tasks/main.yml @@ -33,19 +33,25 @@ - /srv/docker/etc/apache2/sites-available - /srv/docker/etc/httpd/conf.d - /srv/docker/ldif + - /srv/docker/docker-entrypoint-initdb.d + - /srv/docker/var/lib/postgresql/data + - /srv/docker/srv/comanage-match/local - - name: Copy service stack file + - name: Copy service stack files copy: - src: comanage-registry-stack.yml - dest: /home/training/comanage-registry-stack.yml + src: "{{item}}" + dest: "/home/training/{{item}}" owner: training group: training mode: '0644' # Do not overwrite an existing file even if it has been # modified. force: "{{ force_update_stack_file }}" + loop: + - comanage-registry-stack.yml + - comanage-match-stack.yml tags: - - update_stack_file + - update_stack_files - name: Create userPassword hash for LDIF input file command: @@ -85,6 +91,14 @@ group: root mode: '0644' + - name: Copy postgres database initialization file + copy: + src: init-user-db.sh + dest: /srv/docker/docker-entrypoint-initdb.d/init-user-db.sh + owner: root + group: root + mode: '0755' + - name: Create secret olc_root_pw community.general.docker_secret: name: olc_root_pw @@ -139,6 +153,30 @@ data: "{{ shibboleth_sp_signing_privkey }}" state: present + - name: Create secret mysql_root_password + community.general.docker_secret: + name: mysql_root_password + data: "{{ mysql_root_password }}" + state: present + + - name: Create secret mysql_registry_user_password + community.general.docker_secret: + name: mysql_registry_user_password + data: "{{ mysql_registry_user_password }}" + state: present + + - name: Create secret postgres_password + community.general.docker_secret: + name: postgres_password + data: "{{ postgres_password }}" + state: present + + - name: Create secret comanage_match_database_user_password + community.general.docker_secret: + name: comanage_match_database_user_password + data: "{{ comanage_match_database_user_password }}" + state: present + - name: Copy Shibboleth SP configuration files copy: src: "{{ item }}" @@ -160,12 +198,17 @@ - name: Copy Apache configuration file template: - src: 000-comanage.conf + src: "{{item}}" + #src: 000-comanage.conf #dest: /srv/docker/etc/apache2/sites-available/000-comanage.conf - dest: /srv/docker/etc/httpd/conf.d/000-comanage.conf + #dest: /srv/docker/etc/httpd/conf.d/000-comanage.conf + dest: "/srv/docker/etc/httpd/conf.d/{{item}}" owner: root group: root mode: '0644' + loop: + - 000-comanage.conf + - 000-comanagematch.conf - name: Copy registar FileSource CSV input file copy: diff --git a/roles/training/templates/000-comanagematch.conf b/roles/training/templates/000-comanagematch.conf new file mode 100644 index 0000000..06afa3a --- /dev/null +++ b/roles/training/templates/000-comanagematch.conf @@ -0,0 +1,65 @@ +# COmanage Match Apache HTTP Server configuration +# +# Portions licensed to the University Corporation for Advanced Internet +# Development, Inc. ("UCAID") under one or more contributor license agreements. +# See the NOTICE file distributed with this work for additional information +# regarding copyright ownership. +# +# UCAID licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with the +# License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + + +ServerName https://{{ public_fqdn }}:443 +UseCanonicalName On + +DocumentRoot /var/www/html + +RedirectMatch ^/$ /match/ + +PassEnv ENV +PassEnv USERTOKEN + +ErrorLogFormat "httpd;ssl_error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i" +ErrorLog /tmp/logpipe +LogLevel warn + +LogFormat "httpd;ssl_access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined +CustomLog /tmp/logpipe ssl_combined + + +Options Indexes FollowSymLinks +DirectoryIndex index.php +AllowOverride All +Require all granted + + + +SetHandler shib + + + +AuthType shibboleth +ShibRequestSetting requireSession 1 +Require valid-user + + + +AuthType shibboleth +Require shibboleth + + +RewriteEngine On +RewriteCond %{QUERY_STRING} !after_redirect +RewriteRule ^/match/auth/logout.* https://%{HTTP_HOST}/Shibboleth.sso/Logout?return=https://%{HTTP_HOST}/match/auth/logout/?after_redirect [L,R] + + diff --git a/roles/training/vars/main.yml b/roles/training/vars/main.yml index fc6f2e3..eb8d03c 100644 --- a/roles/training/vars/main.yml +++ b/roles/training/vars/main.yml @@ -451,3 +451,31 @@ 33643666386531646362373336656665316265653666636163353730616262366661323930316532 33356539396265366332353363393762373537326565666466323937653733386233313136303862 3766 + mysql_root_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38336331613735373932376164643734393530356266623964353837316632633231323863316338 + 3266323761623065653764383366313962376137366462370a353830333261623636363464343339 + 38643132663433623432613734386335303230643838643062623830663436633061353934616563 + 6539323431393862350a333837366336643437356662646563363738666336353537386434313464 + 3463 + mysql_registry_user_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31306164636533333166366439376136643737336430666434376166633761393532396262656463 + 6364373466633437376635323631353966613266653135390a363438613432356434336430363461 + 35303130646562613662666331643039353565666332336132363833653333333432643334373032 + 6133336134663366320a343866626235613434316637656631373263616562356235636265613236 + 3063 + comanage_match_database_user_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38653265376539646133666537316665393663633165363262623764363862323661653431396266 + 3037653765343939346532333061393937346237653663640a393636306232396533393334623832 + 35376335653065656465626230323339663139343938313036336535383664633666313362343733 + 3937346630323562390a343366396166303936316635666530373630393936666362306361646436 + 3035 + postgres_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33396235386639346261373239623763313232376235653239366534373563666265356631373966 + 6562666462646266323662633262616661386161393462330a343936376664313130323836393864 + 32663331393732393035323066663030643465323666363161333234663539613137323039306133 + 6430336236633164640a306563343736623437373834333562343339373162326236366631623562 + 3234