From 4152fa2e3d49416e54b57ef6352f046dd20f93be Mon Sep 17 00:00:00 2001
From: William Petit <wpetit@cadoles.com>
Date: Thu, 21 Jul 2022 14:19:23 +0200
Subject: [PATCH] feat: generalize variables usage

---
 defaults/main.yml                             |  33 ++-
 files/shibboleth2.xml.gotmpl                  | 257 ------------------
 tasks/hydra-passwordless.yml                  |   4 +-
 tasks/hydra-saml.yml                          |  14 +-
 tasks/main.yml                                |   8 +-
 tasks/oidc-test.yml                           |  13 +-
 .../cadoles-pod-hydra-dispatcher-v1.conf.j2   |   8 +-
 .../cadoles-pod-hydra-passwordless-v1.conf.j2 |   2 +-
 .../cadoles-pod-hydra-remote-user-v1.conf.j2  |   6 +-
 templates/cadoles-pod-hydra-v1.conf.j2        |  18 +-
 .../cadoles-pod-shibboleth-sp-v3.conf.j2      |   5 +-
 templates/haproxy.cfg.j2                      |  64 ++---
 templates/hydra-client.json.j2                |   2 +-
 templates/hydra-dispatcher-apps.yml.j2        |  12 +-
 14 files changed, 94 insertions(+), 352 deletions(-)
 delete mode 100644 files/shibboleth2.xml.gotmpl

diff --git a/defaults/main.yml b/defaults/main.yml
index 02eb2d7..e4f82e0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,6 +4,14 @@ cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
 cadoles_pod_debian_repository: bullseye-dev
 cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
 
+# packages versions
+haproxy_package_version: '*'
+cadoles_pod_hydra_v1_package_version: '*'
+cadoles_pod_hydra_dispatcher_v1_package_version: '*'
+cadoles_pod_shibboleth_sp_v3_package_version: '*'
+cadoles_pod_hydra_remote_user_v1_package_version: '*'
+cadoles_pod_hydra_passwordless_v1_package_version: '*'
+
 # Hydra database configuration
 hydra_use_external_database: no
 hydra_database_name: hydra
@@ -12,17 +20,35 @@ hydra_database_password: hydra
 hydra_database_host: 10.0.2.2
 hydra_database_port: 3306
 
+# HAProxy configuration
+
+haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
+haproxy_hydra_dispatcher_base_path: /auth/dispatcher
+haproxy_hydra_passwordless_base_path: /auth/passwordless
+haproxy_hydra_saml_base_path: /auth/saml
+
+haproxy_forwarded_proto: https
+haproxy_forwarded_host: "%[req.hdr(Host)]"
+haproxy_forwarded_port: "%[dst_port]"
+
 # Hydra OIDC configuration
 
-public_scheme: http
-public_host: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}"
+hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent"
+hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login"
+hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout"
+
+hydra_log_level: warn
+hydra_log_leak_sensitive_values: no
+
+# This value should not be changed after first deployment !
+hydra_secrets_seed: "{{ inventory_hostname }}"
 
 # Hydra clients
 
 hydra_clients:
   - client_id: default-client
     client_name: Default client
-    redirect_uris: ["{{ public_scheme }}://{{ public_host }}"]
 
 # Hydra Passwordless configuration
 
@@ -51,5 +77,6 @@ hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
 # OIDC Test configuration
 
 enable_oidc_test_app: yes
+oidc_test_app_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}:8080
 oidc_test_app_client_id: oidc-test
 oidc_test_app_client_secret: '$oidc-test&123456$'
\ No newline at end of file
diff --git a/files/shibboleth2.xml.gotmpl b/files/shibboleth2.xml.gotmpl
deleted file mode 100644
index 175948e..0000000
--- a/files/shibboleth2.xml.gotmpl
+++ /dev/null
@@ -1,257 +0,0 @@
-<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
-    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    clockSkew="180">
-
-    <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
-    <OutOfProcess
-        logger="shibd.logger" tranLogFormat="[TRANSACTION] %u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
-        <!-- <Extensions>
-            <Library path="odbc-store.so" fatal="true"/>
-        </Extensions> -->
-    </OutOfProcess>
-
-    <!-- <InProcess logger="native.logger" checkSpoofing="false"/> -->
-    
-    <!-- Only one listener can be defined, to connect in-process modules to shibd. -->
-    <UnixListener address="shibd.sock"/>
-    <!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
-    
-    <!-- This set of components stores sessions and other persistent data in daemon memory. -->
-    <StorageService type="Memory" id="mem" cleanupInterval="900"/>
-    <SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"
-                  cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>
-    <ReplayCache StorageService="mem"/>
-    <ArtifactMap artifactTTL="180"/>
-
-    <!-- This set of components stores sessions and other persistent data in an ODBC database. -->
-    <!--
-    <StorageService type="ODBC" id="db" cleanupInterval="900">
-        <ConnectionString>
-        DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
-        </ConnectionString>
-    </StorageService>
-    <SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
-                  cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
-    <ReplayCache StorageService="db"/>
-    <ArtifactMap StorageService="db" artifactTTL="180"/>
-    -->
-
-    <!--
-    The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
-    Resource requests are mapped by the RequestMapper to an applicationId that
-    points into to this section (or to the defaults here).
-    -->
-    <ApplicationDefaults entityID="{{ getenv "SP_ENTITY_ID" "http://sp-entity-id" }}"
-        REMOTE_USER="{{ getenv "SP_REMOTE_USER" "eppn subject-id pairwise-id persistent-id" }}"
-        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
-
-        <!--
-        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
-        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
-        and should be a relative path, with the SP computing the full value based on the virtual
-        host. Using handlerSSL="true" will force the protocol to be https. You should also set
-        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
-        "false", this makes an assertion stolen in transit easier for attackers to misuse.
-        -->
-        <Sessions lifetime="28800" timeout="3600"
-            handlerURL="{{ getenv "SP_HANDLER_BASE_PATH" "" }}/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
-            redirectLimit="{{ getenv "SP_SESSIONS_REDIRECT_LIMIT" "host" }}"
-            checkAddress="false"
-            consistentAddress="false"
-            exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
-            idpHistory="false" idpHistoryDays="7">
-
-            <!--
-            The "stripped down" files use the shorthand syntax for configuring handlers.
-            This uses the old "every handler specified directly" syntax. You can supplement
-            the new syntax following these examples but it is NOT advisable to use this
-            approach wholesale.
-            -->
-          
-            <!--
-            SessionInitiators handle session requests and relay them to a Discovery page,
-            or to an IdP if possible. Automatic/active session  rules will use the default
-            or first element (or requireSessionWith can specify a specific id to use).
-            -->
-
-            <!-- Default directs to a specific IdP. -->
-            <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
-                              entityID="{{ getenv "IDP_ENTITY_ID" "http://idp-entity-id" }}">
-              
-                <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
-                <SessionInitiator type="Shib1"/>
-              
-                <!--
-                To allow for >1 IdP, remove entityID property from Chaining element and add
-                *either* of the SAMLDS or WAYF handlers below:
-                
-                <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
-                <SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
-                -->
-            </SessionInitiator>
-            
-            <!--
-            md:AssertionConsumerService locations handle specific SSO protocol bindings,
-            such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
-            are used when sessions are initiated to determine how to tell the IdP where and
-            how to return the response.
-            -->
-            <md:AssertionConsumerService Location="/SAML2/POST" index="1"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
-            <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
-            <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-            <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
-            <md:AssertionConsumerService Location="/SAML/POST" index="5"
-                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
-            <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
-                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
-
-            <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
-            <LogoutInitiator type="Chaining" Location="/Logout">
-                <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
-                <LogoutInitiator type="Local"/>
-            </LogoutInitiator>
-
-            <!-- Administrative logout, separate from user-driven logout above. -->
-            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
-
-            <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
-            <md:SingleLogoutService Location="/SLO/SOAP"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
-            <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
-            <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
-            <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-
-            <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
-            <md:ManageNameIDService Location="/NIM/SOAP"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
-            <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
-            <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
-            <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-
-            <!--
-            md:ArtifactResolutionService locations resolve artifacts issued when using the
-            SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
-            -->
-            <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
-
-            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
-            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-
-            <!-- Status reporting service. -->
-            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-
-            <!-- Session diagnostic service. -->
-            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
-
-            <!-- JSON feed of discovery information. -->
-            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
-        </Sessions>
-
-        <!--
-        Allows overriding of error template information/filenames. You can
-        also add your own attributes with values that can be plugged into the
-        templates, e.g., helpLocation below.
-        -->
-        <Errors supportContact="{{ getenv "CONTACT_EMAIL" "admin@localhost" }}"
-            helpLocation="/about.html"
-            styleSheet="/shibboleth-sp/main.css"/>
-        
-        <!--
-        Uncomment and modify to tweak settings for specific IdPs or groups. Settings here
-        generally match those allowed by the <ApplicationDefaults> element.
-        -->
-        <!--
-        <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
-        -->
-
-        <!-- Example of locally maintained metadata. -->
-        <!--
-        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
-        -->
-
-        <!-- Example of remotely supplied batch of signed metadata. -->
-        <!--
-        <MetadataProvider type="XML" validate="true"
-	            url="http://federation.org/federation-metadata.xml"
-              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
-            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
-            <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true" 
-              attributeName="http://macedir.org/entity-category"
-              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-              attributeValue="http://refeds.org/category/hide-from-discovery" />
-        </MetadataProvider>
-        -->
-
-        <!-- Example of remotely supplied "on-demand" signed metadata. -->
-        <!--
-        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
-	            baseUrl="http://mdq.federation.org" ignoreTransport="true">
-            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
-        </MetadataProvider>
-        -->
-
-        <MetadataProvider type="Dynamic" 
-            verifyHost="false" 
-            ignoreTransport="true" 
-            uri="{{ getenv "IDP_METADATA_URL" "http://idp/idp/shibboleth" }}">
-        </MetadataProvider>
-
-        <!-- TrustEngines run in order to evaluate peer keys and certificates. -->
-        <TrustEngine type="ExplicitKey"/>
-        <!-- <TrustEngine type="PKIX"/> -->
-
-        <!-- Map to extract attributes from SAML assertions. -->
-        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-
-        <!-- Extracts support information for IdP from its metadata. -->
-        <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/>
-
-        <!-- Use a SAML query if no attributes are supplied during SSO. -->
-        <AttributeResolver type="Query" subjectMatch="true"/>
-
-        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
-        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-
-        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
-        <CredentialResolver type="File" use="signing"
-            key="/etc/shibboleth/credentials/sp-signing.key" certificate="/etc/shibboleth/credentials/sp-signing.crt"/>
-        <CredentialResolver type="File" use="encryption"
-            key="/etc/shibboleth/credentials/sp-encrypt.key" certificate="/etc/shibboleth/credentials/sp-encrypt.crt"/>
-        
-        <!--
-        The default settings can be overridden by creating ApplicationOverride elements.
-        Resource requests are mapped by web server commands, or the RequestMapper, to an
-        applicationId setting.
-        
-        This "canonical" use case of overriding the SP's entityID alone is now obsolete;
-        you can apply selfEntityID as a content setting based on host or path to control
-        the SP's own identity.
-        
-        Avoid overrides: ask on the list or refer to the wiki for examples of how to do
-        whatever you want to do without them.
-        -->
-        <!--
-        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-        -->
-    </ApplicationDefaults>
-    
-    <!-- Policies that determine how to process and authenticate runtime messages. -->
-    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-
-    <!-- Low-level configuration about protocols and bindings available for use. -->
-    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
-</SPConfig>
\ No newline at end of file
diff --git a/tasks/hydra-passwordless.yml b/tasks/hydra-passwordless.yml
index e9d8664..53cb1fa 100644
--- a/tasks/hydra-passwordless.yml
+++ b/tasks/hydra-passwordless.yml
@@ -3,9 +3,9 @@
 - name: Install cadoles-pod-hydra-passwordless-v1 package
   ansible.builtin.apt:
     name:
-      - cadoles-pod-hydra-passwordless-v1
+      - "cadoles-pod-hydra-passwordless-v1={{ cadoles_pod_hydra_passwordless_v1_package_version }}"
     update_cache: yes
-    state: latest
+    state: present
   become: true
 
 - name: Configure cadoles-pod-hydra-passwordless-v1
diff --git a/tasks/hydra-saml.yml b/tasks/hydra-saml.yml
index e5487d6..f43b906 100644
--- a/tasks/hydra-saml.yml
+++ b/tasks/hydra-saml.yml
@@ -3,10 +3,10 @@
 - name: Install cadoles-pod-hydra-remote-user-v1 package
   ansible.builtin.apt:
     name:
-      - cadoles-pod-shibboleth-sp-v3
-      - cadoles-pod-hydra-remote-user-v1
+      - "cadoles-pod-shibboleth-sp-v3={{ cadoles_pod_shibboleth_sp_v3_package_version }}"
+      - "cadoles-pod-hydra-remote-user-v1={{ cadoles_pod_hydra_remote_user_v1_package_version }}"
     update_cache: yes
-    state: latest
+    state: present
   become: true
 
 - name: Configure cadoles-pod-hydra-remote-user-v1
@@ -50,12 +50,4 @@
       dest: /etc/shibboleth/attribute-map.inc.xml
   notify:
     - Restart cadoles-pod-shibboleth-sp-v3
-  become: true
-
-- name: Configure cadoles-pod-shibboleth-sp-v3 (2)
-  ansible.builtin.copy:
-    src:  shibboleth2.xml.gotmpl
-    dest: /etc/shibboleth/shibboleth2.xml.gotmpl
-  notify:
-    - Restart cadoles-pod-shibboleth-sp-v3
   become: true
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
index 9832521..d9d3361 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -31,11 +31,11 @@
 - name: Install core packages
   ansible.builtin.apt:
     name:
-      - haproxy
-      - cadoles-pod-hydra-v1
-      - cadoles-pod-hydra-dispatcher-v1
+      - haproxy={{ haproxy_package_version }}
+      - cadoles-pod-hydra-v1={{ cadoles_pod_hydra_v1_package_version }}
+      - cadoles-pod-hydra-dispatcher-v1={{ cadoles_pod_hydra_dispatcher_v1_package_version }}
     update_cache: yes
-    state: latest
+    state: present
   become: true
 
 - name: Configure Hydra local database
diff --git a/tasks/oidc-test.yml b/tasks/oidc-test.yml
index 2dd1ca9..ae0c4db 100644
--- a/tasks/oidc-test.yml
+++ b/tasks/oidc-test.yml
@@ -8,8 +8,8 @@
     - client_id: "{{ oidc_test_app_client_id }}"
       client_secret: "{{ oidc_test_app_client_secret }}"
       client_name: "OIDC Test"
-      redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080/oauth2/callback"]
-      post_logout_redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080"]
+      redirect_uris: ["{{ oidc_test_app_public_base_url }}/oauth2/callback"]
+      post_logout_redirect_uris: ["{{ oidc_test_app_public_base_url }}"]
       logo_uri: https://www.cadoles.com/images/logo.svg
 
   notify:
@@ -19,7 +19,7 @@
 - name: Start oidc-test app
   containers.podman.podman_container:
     name: oidc-test
-    image: docker.io/bornholm/oidc-test:v0.0.0-2-gd0583cc
+    image: docker.io/bornholm/oidc-test:v0.0.0-3-g5beae19
     state: started
     network: host
     recreate: yes
@@ -27,8 +27,9 @@
       OIDC_CLIENT_ID: "{{ oidc_test_app_client_id }}"
       OIDC_CLIENT_SECRET: "{{ oidc_test_app_client_secret }}"
       LOG_LEVEL: 0
-      OIDC_ISSUER_URL: "http://{{ public_host }}/"
-      OIDC_REDIRECT_URL: "http://{{ public_host }}:8080" 
-      OIDC_POST_LOGOUT_REDIRECT_URL: "http://{{ public_host }}:8080"
+      OIDC_ISSUER_URL: "{{ hydra_urls_self_issuer_url }}/"
+      OIDC_INSECURE_SKIP_VERIFY: true
+      OIDC_REDIRECT_URL: "{{ oidc_test_app_public_base_url }}" 
+      OIDC_POST_LOGOUT_REDIRECT_URL: "{{ oidc_test_app_public_base_url }}"
       HTTP_ADDRESS: 0.0.0.0:8080
   become: true
\ No newline at end of file
diff --git a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2 b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
index d4e5f5b..8c5665e 100644
--- a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
@@ -9,8 +9,8 @@ PODMAN_ARGS="\
     -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
     -e HYDRA_BASE_URL=http://10.0.2.2:4444 \
     -e HYDRA_REWRITE_ISSUER=no \
-    -e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
-    -e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
-    -e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
-    -e 'COOKIE_PATH=/auth/dispatcher' \
+    -e 'HYDRA_ORIGINAL_ISSUER={{ haproxy_public_base_url }}' \
+    -e 'HYDRA_NEW_ISSUER={{ haproxy_public_base_url }}' \
+    -e 'ASSETS_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}' \
+    -e 'COOKIE_PATH={{ haproxy_hydra_dispatcher_base_path }}' \
 "
\ No newline at end of file
diff --git a/templates/cadoles-pod-hydra-passwordless-v1.conf.j2 b/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
index 9e64ef5..e657420 100644
--- a/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
@@ -2,7 +2,7 @@ PODMAN_ARGS="\
     -p 127.0.0.1:3001:3000 \
     --network=slirp4netns:allow_host_loopback=true \
     --replace --name 'cadoles-pod-hydra-passwordless-v1' \
-    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
+    -e HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/passwordless \
     -e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
     -e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
     -e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \
diff --git a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2 b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
index c2946a1..e4c3e23 100644
--- a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
@@ -6,9 +6,9 @@ PODMAN_ARGS="\
     -v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
     -e APP_ENV=prod \
     -e APP_DEBUG=no \
-    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
-    -e COOKIE_PATH=/auth/saml \
+    -e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
+    -e COOKIE_PATH={{ haproxy_hydra_saml_base_path }} \
     -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
     -e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
-    -e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
+    -e 'LOGOUT_REDIRECT_URL_PATTERN={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/Shibboleth.sso/Logout?return=%s' \
 "
\ No newline at end of file
diff --git a/templates/cadoles-pod-hydra-v1.conf.j2 b/templates/cadoles-pod-hydra-v1.conf.j2
index 79bdfc7..6c834ff 100644
--- a/templates/cadoles-pod-hydra-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-v1.conf.j2
@@ -6,13 +6,15 @@ PODMAN_ARGS="\
     -p 127.0.0.1:4445:4445 \
     --tmpfs /tmp \
     -e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
-    -e LOG_LEVEL=debug \
-    -e LOG_LEAK_SENSITIVE_VALUES=true \
-    -e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
-    -e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
-    -e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
-    -e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
-    -e HYDRA_ALLOW_INSECURE=yes \
-    -e HYDRA_LEVEL=debug \
+    -e 'LOG_LEVEL={{ hydra_log_level }}' \
+    -e 'LOG_LEAK_SENSITIVE_VALUES={{ hydra_log_leak_sensitive_values }}' \
+    -e 'HYDRA_URLS_SELF_ISSUER={{ hydra_urls_self_issuer_url }}' \
+    -e 'HYDRA_URLS_CONSENT={{ hydra_urls_consent }}' \
+    -e 'HYDRA_URLS_LOGIN={{ hydra_urls_login }}' \
+    -e 'HYDRA_URLS_LOGOUT={{ hydra_urls_logout }}' \
+    -e 'HYDRA_ALLOW_INSECURE=yes' \
+    -e 'HYDRA_LEVEL={{ hydra_log_level }}' \
+    -e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
+    -e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
     -v /etc/hydra/clients.d:/etc/hydra/clients.d \
 "
\ No newline at end of file
diff --git a/templates/cadoles-pod-shibboleth-sp-v3.conf.j2 b/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
index b5dc81c..88d0533 100644
--- a/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
+++ b/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
@@ -2,11 +2,12 @@ PODMAN_ARGS="\
     -p 127.0.0.1:3002:80 \
     --network=slirp4netns:allow_host_loopback=true \
     --replace --name 'cadoles-pod-shibboleth-sp-v3' \
-    -e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
+    -e 'SP_ENTITY_ID={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
     -e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
     -e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
     -e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
-    -e 'SP_HANDLER_BASE_PATH=/auth/saml' \
+    -e 'APACHE_FORCE_HTTPS={{ "true" if haproxy_public_base_url.startswith('https') else "false" }}' \
+    -e 'SP_HANDLER_BASE_PATH={{ haproxy_hydra_saml_base_path }}' \
     -v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
     -v '/etc/shibboleth/shibboleth2.xml.gotmpl:/etc/shibboleth/shibboleth2.xml.gotmpl' \
     -v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
index 079b38e..da39e5f 100644
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@@ -37,66 +37,49 @@ frontend http-in
     bind 0.0.0.0:80
     mode http
     
-    maxconn 2000    
+    maxconn 2000
 
-    acl login_dispatcher path_beg -i /auth/dispatcher
-    {% if enable_hydra_passwordless %}
-    acl login_passwordless path_beg -i /auth/passwordless
-    {% endif %}
-    {% if enable_hydra_saml %}
-    acl login_saml path_beg -i /auth/saml
-    {% endif %}
+    acl login_dispatcher path_beg -i {{ haproxy_hydra_dispatcher_base_path }}
+{% if enable_hydra_passwordless %}
+    acl login_passwordless path_beg -i {{ haproxy_hydra_passwordless_base_path }}
+{% endif %}
+{% if enable_hydra_saml %}
+    acl login_saml path_beg -i {{ haproxy_hydra_saml_base_path }}
+{% endif %}
 
     use_backend hydra_dispatcher if login_dispatcher
-    {% if enable_hydra_passwordless %}
+{% if enable_hydra_passwordless %}
     use_backend hydra_passwordless if login_passwordless
-    {% endif %}
-    {% if enable_hydra_saml %}
+{% endif %}
+{% if enable_hydra_saml %}
     use_backend hydra_saml if login_saml
-    {% endif %}
+{% endif %}
     use_backend hydra
 
+option forwardfor
+
+http-request set-header X-Forwarded-Proto {{ haproxy_forwarded_proto }}
+http-request set-header X-Forwarded-Host {{ haproxy_forwarded_host }}
+http-request set-header X-Forwarded-Port {{ haproxy_forwarded_port }}
+
 # Backend Hydra
 backend hydra
     balance roundrobin
-
-    # Headers HTTP des requêtes
-    option forwardfor
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request add-header X-Forwarded-Proto http
-    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
-    
     server hydra 127.0.0.1:4444 check
 
 # Backend Hydra Dispatcher
 backend hydra_dispatcher
     balance roundrobin
-
-    # Headers HTTP des requêtes
-    option forwardfor
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request add-header X-Forwarded-Proto http
-    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
-
     # Suppression du préfixe /auth/dispatcher dans l'URL
-    http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
-
+    http-request set-path %[path,regsub(^{{ haproxy_hydra_dispatcher_base_path }}/,/)]
     server hydra-login-dispatcher 127.0.0.1:3000 check
 
 {% if enable_hydra_passwordless %}
 # Backend Hydra Passwordless
 backend hydra_passwordless
     balance roundrobin
-
-    # Headers HTTP des requêtes
-    option forwardfor
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request add-header X-Forwarded-Proto http
-    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
-
     # Suppression du préfixe /auth/passwordless dans l'URL
-    http-request set-path %[path,regsub(^/auth/passwordless,)]
-
+    http-request set-path %[path,regsub(^{{ haproxy_hydra_passwordless_base_path }},)]
     server hydra-login-passwordless 127.0.0.1:3001 check
 {%- endif %}
 
@@ -104,12 +87,5 @@ backend hydra_passwordless
 # Backend Hydra SAML
 backend hydra_saml
     balance roundrobin
-
-    # Headers HTTP des requêtes
-    option forwardfor
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request add-header X-Forwarded-Proto http
-    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
-
     server hydra-login-saml 127.0.0.1:3002 check
 {%- endif %}
diff --git a/templates/hydra-client.json.j2 b/templates/hydra-client.json.j2
index 67c45b8..0a3c71d 100644
--- a/templates/hydra-client.json.j2
+++ b/templates/hydra-client.json.j2
@@ -1,7 +1,7 @@
 {
 	"client_id": {{ item.client_id | to_json }},
 	"client_name": {{ item.client_name | default(item.client_id) | to_json }},
-	"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32')) | to_json }},
+	"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32 seed=inventory_hostname')) | to_json }},
 	"grant_types": {{ item.grant_types | default(["authorization_code","refresh_token"]) | to_json }},
 	"jwks": {},
 	"metadata": {},
diff --git a/templates/hydra-dispatcher-apps.yml.j2 b/templates/hydra-dispatcher-apps.yml.j2
index 81bfad1..4c43e82 100644
--- a/templates/hydra-dispatcher-apps.yml.j2
+++ b/templates/hydra-dispatcher-apps.yml.j2
@@ -4,9 +4,9 @@ hydra:
     - id: passwordless
       title: "{{ hydra_passwordless_app_title }}"
       description: "{{ hydra_passwordless_app_description }}"
-      login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
-      consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
-      logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
+      login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login
+      consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent
+      logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout
       attributes_rewrite_rules:
         email:
           - consent.session.id_token.email
@@ -16,9 +16,9 @@ hydra:
     - id: saml
       title: "{{ hydra_saml_app_title }}"
       description: "{{ hydra_saml_app_description }}"
-      login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
-      consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
-      logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
+      login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login
+      consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent
+      logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout
       attributes_rewrite_rules:
         email:
           - consent.session.id_token.email