feat: generalize variables usage

2022-07-21 14:19:23 +02:00 · 2022-07-21 14:19:23 +02:00 · 4152fa2e3d
parent 20f5ef8faa
commit 4152fa2e3d
14 changed files with 94 additions and 352 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -4,6 +4,14 @@ cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
 cadoles_pod_debian_repository: bullseye-dev
 cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
 # packages versions
 haproxy_package_version: '*'
 cadoles_pod_hydra_v1_package_version: '*'
 cadoles_pod_hydra_dispatcher_v1_package_version: '*'
 cadoles_pod_shibboleth_sp_v3_package_version: '*'
 cadoles_pod_hydra_remote_user_v1_package_version: '*'
 cadoles_pod_hydra_passwordless_v1_package_version: '*'
 # Hydra database configuration
 hydra_use_external_database: no
 hydra_database_name: hydra
@ -12,17 +20,35 @@ hydra_database_password: hydra
 hydra_database_host: 10.0.2.2
 hydra_database_port: 3306
 # HAProxy configuration
 haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
 haproxy_hydra_dispatcher_base_path: /auth/dispatcher
 haproxy_hydra_passwordless_base_path: /auth/passwordless
 haproxy_hydra_saml_base_path: /auth/saml
 haproxy_forwarded_proto: https
 haproxy_forwarded_host: "%[req.hdr(Host)]"
 haproxy_forwarded_port: "%[dst_port]"
 # Hydra OIDC configuration
-public_scheme: http
+hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}"
-public_host: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent"
 hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login"
 hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout"
 hydra_log_level: warn
 hydra_log_leak_sensitive_values: no
 # This value should not be changed after first deployment !
 hydra_secrets_seed: "{{ inventory_hostname }}"
 # Hydra clients
 hydra_clients:
  - client_id: default-client
    client_name: Default client
    redirect_uris: ["{{ public_scheme }}://{{ public_host }}"]
 # Hydra Passwordless configuration
@ -51,5 +77,6 @@ hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
 # OIDC Test configuration
 enable_oidc_test_app: yes
 oidc_test_app_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}:8080
 oidc_test_app_client_id: oidc-test
 oidc_test_app_client_secret: '$oidc-test&123456$'
--- a/files/shibboleth2.xml.gotmpl
+++ b/files/shibboleth2.xml.gotmpl
@ -1,257 +0,0 @@
 <SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">
    <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
    <OutOfProcess
        logger="shibd.logger" tranLogFormat="[TRANSACTION] %u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
        <!-- <Extensions>
            <Library path="odbc-store.so" fatal="true"/>
        </Extensions> -->
    </OutOfProcess>
    <!-- <InProcess logger="native.logger" checkSpoofing="false"/> -->
    <!-- Only one listener can be defined, to connect in-process modules to shibd. -->
    <UnixListener address="shibd.sock"/>
    <!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
    <!-- This set of components stores sessions and other persistent data in daemon memory. -->
    <StorageService type="Memory" id="mem" cleanupInterval="900"/>
    <SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"
                  cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>
    <ReplayCache StorageService="mem"/>
    <ArtifactMap artifactTTL="180"/>
    <!-- This set of components stores sessions and other persistent data in an ODBC database. -->
    <!--
    <StorageService type="ODBC" id="db" cleanupInterval="900">
        <ConnectionString>
        DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
        </ConnectionString>
    </StorageService>
    <SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
                  cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
    <ReplayCache StorageService="db"/>
    <ArtifactMap StorageService="db" artifactTTL="180"/>
    -->
    <!--
    The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
    Resource requests are mapped by the RequestMapper to an applicationId that
    points into to this section (or to the defaults here).
    -->
    <ApplicationDefaults entityID="{{ getenv "SP_ENTITY_ID" "http://sp-entity-id" }}"
        REMOTE_USER="{{ getenv "SP_REMOTE_USER" "eppn subject-id pairwise-id persistent-id" }}"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
        and should be a relative path, with the SP computing the full value based on the virtual
        host. Using handlerSSL="true" will force the protocol to be https. You should also set
        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
        "false", this makes an assertion stolen in transit easier for attackers to misuse.
        -->
        <Sessions lifetime="28800" timeout="3600"
            handlerURL="{{ getenv "SP_HANDLER_BASE_PATH" "" }}/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
            redirectLimit="{{ getenv "SP_SESSIONS_REDIRECT_LIMIT" "host" }}"
            checkAddress="false"
            consistentAddress="false"
            exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
            idpHistory="false" idpHistoryDays="7">
            <!--
            The "stripped down" files use the shorthand syntax for configuring handlers.
            This uses the old "every handler specified directly" syntax. You can supplement
            the new syntax following these examples but it is NOT advisable to use this
            approach wholesale.
            -->
            <!--
            SessionInitiators handle session requests and relay them to a Discovery page,
            or to an IdP if possible. Automatic/active session  rules will use the default
            or first element (or requireSessionWith can specify a specific id to use).
            -->
            <!-- Default directs to a specific IdP. -->
            <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
                              entityID="{{ getenv "IDP_ENTITY_ID" "http://idp-entity-id" }}">
                <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
                <SessionInitiator type="Shib1"/>
                <!--
                To allow for >1 IdP, remove entityID property from Chaining element and add
                *either* of the SAMLDS or WAYF handlers below:
                <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
                <SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
                -->
            </SessionInitiator>
            <!--
            md:AssertionConsumerService locations handle specific SSO protocol bindings,
            such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
            are used when sessions are initiated to determine how to tell the IdP where and
            how to return the response.
            -->
            <md:AssertionConsumerService Location="/SAML2/POST" index="1"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
            <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
            <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
            <md:AssertionConsumerService Location="/SAML/POST" index="5"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
            <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
            <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
            <LogoutInitiator type="Chaining" Location="/Logout">
                <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
                <LogoutInitiator type="Local"/>
            </LogoutInitiator>
            <!-- Administrative logout, separate from user-driven logout above. -->
            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
            <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
            <md:SingleLogoutService Location="/SLO/SOAP"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
            <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
            <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
            <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
            <md:ManageNameIDService Location="/NIM/SOAP"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
            <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
            <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
            <!--
            md:ArtifactResolutionService locations resolve artifacts issued when using the
            SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
            -->
            <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>
        <!--
        Allows overriding of error template information/filenames. You can
        also add your own attributes with values that can be plugged into the
        templates, e.g., helpLocation below.
        -->
        <Errors supportContact="{{ getenv "CONTACT_EMAIL" "admin@localhost" }}"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>
        <!--
        Uncomment and modify to tweak settings for specific IdPs or groups. Settings here
        generally match those allowed by the <ApplicationDefaults> element.
        -->
        <!--
        <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
        -->
        <!-- Example of locally maintained metadata. -->
        <!--
        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
        -->
        <!-- Example of remotely supplied batch of signed metadata. -->
        <!--
        <MetadataProvider type="XML" validate="true"
 	            url="http://federation.org/federation-metadata.xml"
              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
            <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true" 
              attributeName="http://macedir.org/entity-category"
              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
              attributeValue="http://refeds.org/category/hide-from-discovery" />
        </MetadataProvider>
        -->
        <!-- Example of remotely supplied "on-demand" signed metadata. -->
        <!--
        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
 	            baseUrl="http://mdq.federation.org" ignoreTransport="true">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
        </MetadataProvider>
        -->
        <MetadataProvider type="Dynamic" 
            verifyHost="false" 
            ignoreTransport="true" 
            uri="{{ getenv "IDP_METADATA_URL" "http://idp/idp/shibboleth" }}">
        </MetadataProvider>
        <!-- TrustEngines run in order to evaluate peer keys and certificates. -->
        <TrustEngine type="ExplicitKey"/>
        <!-- <TrustEngine type="PKIX"/> -->
        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        <!-- Extracts support information for IdP from its metadata. -->
        <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/>
        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>
        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
        <CredentialResolver type="File" use="signing"
            key="/etc/shibboleth/credentials/sp-signing.key" certificate="/etc/shibboleth/credentials/sp-signing.crt"/>
        <CredentialResolver type="File" use="encryption"
            key="/etc/shibboleth/credentials/sp-encrypt.key" certificate="/etc/shibboleth/credentials/sp-encrypt.crt"/>
        <!--
        The default settings can be overridden by creating ApplicationOverride elements.
        Resource requests are mapped by web server commands, or the RequestMapper, to an
        applicationId setting.
        This "canonical" use case of overriding the SP's entityID alone is now obsolete;
        you can apply selfEntityID as a content setting based on host or path to control
        the SP's own identity.
        Avoid overrides: ask on the list or refer to the wiki for examples of how to do
        whatever you want to do without them.
        -->
        <!--
        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
        -->
    </ApplicationDefaults>
    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
 </SPConfig>
--- a/tasks/hydra-passwordless.yml
+++ b/tasks/hydra-passwordless.yml
@ -3,9 +3,9 @@
 - name: Install cadoles-pod-hydra-passwordless-v1 package
  ansible.builtin.apt:
    name:
-      - cadoles-pod-hydra-passwordless-v1
+      - "cadoles-pod-hydra-passwordless-v1={{ cadoles_pod_hydra_passwordless_v1_package_version }}"
    update_cache: yes
-    state: latest
+    state: present
  become: true
 - name: Configure cadoles-pod-hydra-passwordless-v1
--- a/tasks/hydra-saml.yml
+++ b/tasks/hydra-saml.yml
@ -3,10 +3,10 @@
 - name: Install cadoles-pod-hydra-remote-user-v1 package
  ansible.builtin.apt:
    name:
-      - cadoles-pod-shibboleth-sp-v3
+      - "cadoles-pod-shibboleth-sp-v3={{ cadoles_pod_shibboleth_sp_v3_package_version }}"
-      - cadoles-pod-hydra-remote-user-v1
+      - "cadoles-pod-hydra-remote-user-v1={{ cadoles_pod_hydra_remote_user_v1_package_version }}"
    update_cache: yes
-    state: latest
+    state: present
  become: true
 - name: Configure cadoles-pod-hydra-remote-user-v1
@ -51,11 +51,3 @@
  notify:
    - Restart cadoles-pod-shibboleth-sp-v3
  become: true
 - name: Configure cadoles-pod-shibboleth-sp-v3 (2)
  ansible.builtin.copy:
    src:  shibboleth2.xml.gotmpl
    dest: /etc/shibboleth/shibboleth2.xml.gotmpl
  notify:
    - Restart cadoles-pod-shibboleth-sp-v3
  become: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -31,11 +31,11 @@
 - name: Install core packages
  ansible.builtin.apt:
    name:
-      - haproxy
+      - haproxy={{ haproxy_package_version }}
-      - cadoles-pod-hydra-v1
+      - cadoles-pod-hydra-v1={{ cadoles_pod_hydra_v1_package_version }}
-      - cadoles-pod-hydra-dispatcher-v1
+      - cadoles-pod-hydra-dispatcher-v1={{ cadoles_pod_hydra_dispatcher_v1_package_version }}
    update_cache: yes
-    state: latest
+    state: present
  become: true
 - name: Configure Hydra local database
--- a/tasks/oidc-test.yml
+++ b/tasks/oidc-test.yml
@ -8,8 +8,8 @@
    - client_id: "{{ oidc_test_app_client_id }}"
      client_secret: "{{ oidc_test_app_client_secret }}"
      client_name: "OIDC Test"
-      redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080/oauth2/callback"]
+      redirect_uris: ["{{ oidc_test_app_public_base_url }}/oauth2/callback"]
-      post_logout_redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080"]
+      post_logout_redirect_uris: ["{{ oidc_test_app_public_base_url }}"]
      logo_uri: https://www.cadoles.com/images/logo.svg
  notify:
@ -19,7 +19,7 @@
 - name: Start oidc-test app
  containers.podman.podman_container:
    name: oidc-test
-    image: docker.io/bornholm/oidc-test:v0.0.0-2-gd0583cc
+    image: docker.io/bornholm/oidc-test:v0.0.0-3-g5beae19
    state: started
    network: host
    recreate: yes
@ -27,8 +27,9 @@
      OIDC_CLIENT_ID: "{{ oidc_test_app_client_id }}"
      OIDC_CLIENT_SECRET: "{{ oidc_test_app_client_secret }}"
      LOG_LEVEL: 0
-      OIDC_ISSUER_URL: "http://{{ public_host }}/"
+      OIDC_ISSUER_URL: "{{ hydra_urls_self_issuer_url }}/"
-      OIDC_REDIRECT_URL: "http://{{ public_host }}:8080" 
+      OIDC_INSECURE_SKIP_VERIFY: true
-      OIDC_POST_LOGOUT_REDIRECT_URL: "http://{{ public_host }}:8080"
+      OIDC_REDIRECT_URL: "{{ oidc_test_app_public_base_url }}" 
      OIDC_POST_LOGOUT_REDIRECT_URL: "{{ oidc_test_app_public_base_url }}"
      HTTP_ADDRESS: 0.0.0.0:8080
  become: true
--- a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
@ -9,8 +9,8 @@ PODMAN_ARGS="\
    -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
    -e HYDRA_BASE_URL=http://10.0.2.2:4444 \
    -e HYDRA_REWRITE_ISSUER=no \
-    -e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
+    -e 'HYDRA_ORIGINAL_ISSUER={{ haproxy_public_base_url }}' \
-    -e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
+    -e 'HYDRA_NEW_ISSUER={{ haproxy_public_base_url }}' \
-    -e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
+    -e 'ASSETS_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}' \
-    -e 'COOKIE_PATH=/auth/dispatcher' \
+    -e 'COOKIE_PATH={{ haproxy_hydra_dispatcher_base_path }}' \
 "
--- a/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
@ -2,7 +2,7 @@ PODMAN_ARGS="\
    -p 127.0.0.1:3001:3000 \
    --network=slirp4netns:allow_host_loopback=true \
    --replace --name 'cadoles-pod-hydra-passwordless-v1' \
-    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
+    -e HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/passwordless \
    -e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
    -e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
    -e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \
--- a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
@ -6,9 +6,9 @@ PODMAN_ARGS="\
    -v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
    -e APP_ENV=prod \
    -e APP_DEBUG=no \
-    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
+    -e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
-    -e COOKIE_PATH=/auth/saml \
+    -e COOKIE_PATH={{ haproxy_hydra_saml_base_path }} \
    -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
    -e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
-    -e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
+    -e 'LOGOUT_REDIRECT_URL_PATTERN={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/Shibboleth.sso/Logout?return=%s' \
 "
--- a/templates/cadoles-pod-hydra-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-v1.conf.j2
@ -6,13 +6,15 @@ PODMAN_ARGS="\
    -p 127.0.0.1:4445:4445 \
    --tmpfs /tmp \
    -e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
-    -e LOG_LEVEL=debug \
+    -e 'LOG_LEVEL={{ hydra_log_level }}' \
-    -e LOG_LEAK_SENSITIVE_VALUES=true \
+    -e 'LOG_LEAK_SENSITIVE_VALUES={{ hydra_log_leak_sensitive_values }}' \
-    -e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
+    -e 'HYDRA_URLS_SELF_ISSUER={{ hydra_urls_self_issuer_url }}' \
-    -e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
+    -e 'HYDRA_URLS_CONSENT={{ hydra_urls_consent }}' \
-    -e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
+    -e 'HYDRA_URLS_LOGIN={{ hydra_urls_login }}' \
-    -e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
+    -e 'HYDRA_URLS_LOGOUT={{ hydra_urls_logout }}' \
-    -e HYDRA_ALLOW_INSECURE=yes \
+    -e 'HYDRA_ALLOW_INSECURE=yes' \
-    -e HYDRA_LEVEL=debug \
+    -e 'HYDRA_LEVEL={{ hydra_log_level }}' \
    -e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
    -e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
    -v /etc/hydra/clients.d:/etc/hydra/clients.d \
 "
--- a/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
+++ b/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
@ -2,11 +2,12 @@ PODMAN_ARGS="\
    -p 127.0.0.1:3002:80 \
    --network=slirp4netns:allow_host_loopback=true \
    --replace --name 'cadoles-pod-shibboleth-sp-v3' \
-    -e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
+    -e 'SP_ENTITY_ID={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
    -e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
    -e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
    -e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
-    -e 'SP_HANDLER_BASE_PATH=/auth/saml' \
+    -e 'APACHE_FORCE_HTTPS={{ "true" if haproxy_public_base_url.startswith('https') else "false" }}' \
    -e 'SP_HANDLER_BASE_PATH={{ haproxy_hydra_saml_base_path }}' \
    -v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
    -v '/etc/shibboleth/shibboleth2.xml.gotmpl:/etc/shibboleth/shibboleth2.xml.gotmpl' \
    -v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@ -39,12 +39,12 @@ frontend http-in
    maxconn 2000
-    acl login_dispatcher path_beg -i /auth/dispatcher
+    acl login_dispatcher path_beg -i {{ haproxy_hydra_dispatcher_base_path }}
 {% if enable_hydra_passwordless %}
-    acl login_passwordless path_beg -i /auth/passwordless
+    acl login_passwordless path_beg -i {{ haproxy_hydra_passwordless_base_path }}
 {% endif %}
 {% if enable_hydra_saml %}
-    acl login_saml path_beg -i /auth/saml
+    acl login_saml path_beg -i {{ haproxy_hydra_saml_base_path }}
 {% endif %}
    use_backend hydra_dispatcher if login_dispatcher
@ -56,47 +56,30 @@ frontend http-in
 {% endif %}
    use_backend hydra
 option forwardfor
 http-request set-header X-Forwarded-Proto {{ haproxy_forwarded_proto }}
 http-request set-header X-Forwarded-Host {{ haproxy_forwarded_host }}
 http-request set-header X-Forwarded-Port {{ haproxy_forwarded_port }}
 # Backend Hydra
 backend hydra
    balance roundrobin
    # Headers HTTP des requêtes
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto http
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    server hydra 127.0.0.1:4444 check
 # Backend Hydra Dispatcher
 backend hydra_dispatcher
    balance roundrobin
    # Headers HTTP des requêtes
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto http
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    # Suppression du préfixe /auth/dispatcher dans l'URL
-    http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
+    http-request set-path %[path,regsub(^{{ haproxy_hydra_dispatcher_base_path }}/,/)]
    server hydra-login-dispatcher 127.0.0.1:3000 check
 {% if enable_hydra_passwordless %}
 # Backend Hydra Passwordless
 backend hydra_passwordless
    balance roundrobin
    # Headers HTTP des requêtes
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto http
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    # Suppression du préfixe /auth/passwordless dans l'URL
-    http-request set-path %[path,regsub(^/auth/passwordless,)]
+    http-request set-path %[path,regsub(^{{ haproxy_hydra_passwordless_base_path }},)]
    server hydra-login-passwordless 127.0.0.1:3001 check
 {%- endif %}
@ -104,12 +87,5 @@ backend hydra_passwordless
 # Backend Hydra SAML
 backend hydra_saml
    balance roundrobin
    # Headers HTTP des requêtes
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto http
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    server hydra-login-saml 127.0.0.1:3002 check
 {%- endif %}
--- a/templates/hydra-client.json.j2
+++ b/templates/hydra-client.json.j2
@ -1,7 +1,7 @@
 {
 	"client_id": {{ item.client_id | to_json }},
 	"client_name": {{ item.client_name | default(item.client_id) | to_json }},
-	"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32')) | to_json }},
+	"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32 seed=inventory_hostname')) | to_json }},
 	"grant_types": {{ item.grant_types | default(["authorization_code","refresh_token"]) | to_json }},
 	"jwks": {},
 	"metadata": {},
--- a/templates/hydra-dispatcher-apps.yml.j2
+++ b/templates/hydra-dispatcher-apps.yml.j2
@ -4,9 +4,9 @@ hydra:
    - id: passwordless
      title: "{{ hydra_passwordless_app_title }}"
      description: "{{ hydra_passwordless_app_description }}"
-      login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
+      login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login
-      consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
+      consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent
-      logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
+      logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout
      attributes_rewrite_rules:
        email:
          - consent.session.id_token.email
@ -16,9 +16,9 @@ hydra:
    - id: saml
      title: "{{ hydra_saml_app_title }}"
      description: "{{ hydra_saml_app_description }}"
-      login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
+      login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login
-      consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
+      consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent
-      logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
+      logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout
      attributes_rewrite_rules:
        email:
          - consent.session.id_token.email