feat: generalize variables usage

defaults/main.yml

@@ -4,6 +4,14 @@ cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
 cadoles_pod_debian_repository: bullseye-dev
 cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
 
+# packages versions
+haproxy_package_version: '*'
+cadoles_pod_hydra_v1_package_version: '*'
+cadoles_pod_hydra_dispatcher_v1_package_version: '*'
+cadoles_pod_shibboleth_sp_v3_package_version: '*'
+cadoles_pod_hydra_remote_user_v1_package_version: '*'
+cadoles_pod_hydra_passwordless_v1_package_version: '*'
+
 # Hydra database configuration
 hydra_use_external_database: no
 hydra_database_name: hydra
@@ -12,17 +20,31 @@ hydra_database_password: hydra
 hydra_database_host: 10.0.2.2
 hydra_database_port: 3306
 
+# HAProxy configuration
+
+haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
+haproxy_hydra_dispatcher_base_path: /auth/dispatcher
+haproxy_hydra_passwordless_base_path: /auth/passwordless
+haproxy_hydra_saml_base_path: /auth/saml
+
 # Hydra OIDC configuration
 
-public_scheme: http
-public_host: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}"
+hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent"
+hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login"
+hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout"
+
+hydra_log_level: warn
+hydra_log_leak_sensitive_values: no
+
+# This value should not be changed after first deployment !
+hydra_secrets_seed: "{{ inventory_hostname }}"
 
 # Hydra clients
 
 hydra_clients:
   - client_id: default-client
     client_name: Default client
-    redirect_uris: ["{{ public_scheme }}://{{ public_host }}"]
 
 # Hydra Passwordless configuration
 
@@ -51,5 +73,6 @@ hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
 # OIDC Test configuration
 
 enable_oidc_test_app: yes
+oidc_test_app_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}:8080
 oidc_test_app_client_id: oidc-test
 oidc_test_app_client_secret: '$oidc-test&123456$'

tasks/hydra-passwordless.yml

@@ -3,9 +3,9 @@
 - name: Install cadoles-pod-hydra-passwordless-v1 package
   ansible.builtin.apt:
     name:
-      - cadoles-pod-hydra-passwordless-v1
+      - "cadoles-pod-hydra-passwordless-v1={{ cadoles_pod_hydra_passwordless_v1_package_version }}"
     update_cache: yes
-    state: latest
+    state: present
   become: true
 
 - name: Configure cadoles-pod-hydra-passwordless-v1

tasks/hydra-saml.yml

@@ -3,10 +3,10 @@
 - name: Install cadoles-pod-hydra-remote-user-v1 package
   ansible.builtin.apt:
     name:
-      - cadoles-pod-shibboleth-sp-v3
-      - cadoles-pod-hydra-remote-user-v1
+      - "cadoles-pod-shibboleth-sp-v3={{ cadoles_pod_shibboleth_sp_v3_package_version }}"
+      - "cadoles-pod-hydra-remote-user-v1={{ cadoles_pod_hydra_remote_user_v1_package_version }}"
     update_cache: yes
-    state: latest
+    state: present
   become: true
 
 - name: Configure cadoles-pod-hydra-remote-user-v1

tasks/main.yml

@@ -31,11 +31,11 @@
 - name: Install core packages
   ansible.builtin.apt:
     name:
-      - haproxy
-      - cadoles-pod-hydra-v1
-      - cadoles-pod-hydra-dispatcher-v1
+      - haproxy={{ haproxy_package_version }}
+      - cadoles-pod-hydra-v1={{ cadoles_pod_hydra_v1_package_version }}
+      - cadoles-pod-hydra-dispatcher-v1={{ cadoles_pod_hydra_dispatcher_v1_package_version }}
     update_cache: yes
-    state: latest
+    state: present
   become: true
 
 - name: Configure Hydra local database

tasks/oidc-test.yml

@@ -8,8 +8,8 @@
     - client_id: "{{ oidc_test_app_client_id }}"
       client_secret: "{{ oidc_test_app_client_secret }}"
       client_name: "OIDC Test"
-      redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080/oauth2/callback"]
-      post_logout_redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080"]
+      redirect_uris: ["{{ oidc_test_app_public_base_url }}/oauth2/callback"]
+      post_logout_redirect_uris: ["{{ oidc_test_app_public_base_url }}"]
       logo_uri: https://www.cadoles.com/images/logo.svg
 
   notify:

templates/cadoles-pod-hydra-dispatcher-v1.conf.j2

@@ -9,8 +9,8 @@ PODMAN_ARGS="\
     -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
     -e HYDRA_BASE_URL=http://10.0.2.2:4444 \
     -e HYDRA_REWRITE_ISSUER=no \
-    -e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
-    -e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
-    -e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
-    -e 'COOKIE_PATH=/auth/dispatcher' \
+    -e 'HYDRA_ORIGINAL_ISSUER={{ haproxy_public_base_url }}' \
+    -e 'HYDRA_NEW_ISSUER={{ haproxy_public_base_url }}' \
+    -e 'ASSETS_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}' \
+    -e 'COOKIE_PATH={{ haproxy_hydra_dispatcher_base_path }}' \
 "

templates/cadoles-pod-hydra-passwordless-v1.conf.j2

@@ -2,7 +2,7 @@ PODMAN_ARGS="\
     -p 127.0.0.1:3001:3000 \
     --network=slirp4netns:allow_host_loopback=true \
     --replace --name 'cadoles-pod-hydra-passwordless-v1' \
-    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
+    -e HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/passwordless \
     -e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
     -e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
     -e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \

templates/cadoles-pod-hydra-remote-user-v1.conf.j2

@@ -6,9 +6,9 @@ PODMAN_ARGS="\
     -v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
     -e APP_ENV=prod \
     -e APP_DEBUG=no \
-    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
-    -e COOKIE_PATH=/auth/saml \
+    -e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
+    -e COOKIE_PATH={{ haproxy_hydra_saml_base_path }} \
     -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
     -e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
-    -e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
+    -e 'LOGOUT_REDIRECT_URL_PATTERN={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/Shibboleth.sso/Logout?return=%s' \
 "

templates/cadoles-pod-hydra-v1.conf.j2

@@ -6,13 +6,15 @@ PODMAN_ARGS="\
     -p 127.0.0.1:4445:4445 \
     --tmpfs /tmp \
     -e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
-    -e LOG_LEVEL=debug \
-    -e LOG_LEAK_SENSITIVE_VALUES=true \
-    -e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
-    -e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
-    -e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
-    -e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
-    -e HYDRA_ALLOW_INSECURE=yes \
-    -e HYDRA_LEVEL=debug \
+    -e 'LOG_LEVEL={{ hydra_log_level }}' \
+    -e 'LOG_LEAK_SENSITIVE_VALUES={{ hydra_log_leak_sensitive_values }}' \
+    -e 'HYDRA_URLS_SELF_ISSUER={{ hydra_urls_self_issuer_url }}' \
+    -e 'HYDRA_URLS_CONSENT={{ hydra_urls_consent }}' \
+    -e 'HYDRA_URLS_LOGIN={{ hydra_urls_login }}' \
+    -e 'HYDRA_URLS_LOGOUT={{ hydra_urls_logout }}' \
+    -e 'HYDRA_ALLOW_INSECURE=yes' \
+    -e 'HYDRA_LEVEL={{ hydra_log_level }}' \
+    -e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
+    -e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
     -v /etc/hydra/clients.d:/etc/hydra/clients.d \
 "

templates/cadoles-pod-shibboleth-sp-v3.conf.j2

@@ -2,7 +2,7 @@ PODMAN_ARGS="\
     -p 127.0.0.1:3002:80 \
     --network=slirp4netns:allow_host_loopback=true \
     --replace --name 'cadoles-pod-shibboleth-sp-v3' \
-    -e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
+    -e 'SP_ENTITY_ID={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
     -e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
     -e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
     -e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \

templates/haproxy.cfg.j2

@@ -39,21 +39,21 @@ frontend http-in
     
     maxconn 2000    
 
-    acl login_dispatcher path_beg -i /auth/dispatcher
-    {% if enable_hydra_passwordless %}
-    acl login_passwordless path_beg -i /auth/passwordless
-    {% endif %}
-    {% if enable_hydra_saml %}
-    acl login_saml path_beg -i /auth/saml
-    {% endif %}
+    acl login_dispatcher path_beg -i {{ haproxy_hydra_dispatcher_base_path }}
+{% if enable_hydra_passwordless %}
+    acl login_passwordless path_beg -i {{ haproxy_hydra_passwordless_base_path }}
+{% endif %}
+{% if enable_hydra_saml %}
+    acl login_saml path_beg -i {{ haproxy_hydra_saml_base_path }}
+{% endif %}
 
     use_backend hydra_dispatcher if login_dispatcher
-    {% if enable_hydra_passwordless %}
+{% if enable_hydra_passwordless %}
     use_backend hydra_passwordless if login_passwordless
-    {% endif %}
-    {% if enable_hydra_saml %}
+{% endif %}
+{% if enable_hydra_saml %}
     use_backend hydra_saml if login_saml
-    {% endif %}
+{% endif %}
     use_backend hydra
 
 # Backend Hydra
@@ -79,7 +79,7 @@ backend hydra_dispatcher
     http-request set-header X-Forwarded-Host %[req.hdr(Host)]
 
     # Suppression du préfixe /auth/dispatcher dans l'URL
-    http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
+    http-request set-path %[path,regsub(^{{ haproxy_hydra_dispatcher_base_path }}/,/)]
 
     server hydra-login-dispatcher 127.0.0.1:3000 check
 
@@ -95,7 +95,7 @@ backend hydra_passwordless
     http-request set-header X-Forwarded-Host %[req.hdr(Host)]
 
     # Suppression du préfixe /auth/passwordless dans l'URL
-    http-request set-path %[path,regsub(^/auth/passwordless,)]
+    http-request set-path %[path,regsub(^{{ haproxy_hydra_passwordless_base_path }},)]
 
     server hydra-login-passwordless 127.0.0.1:3001 check
 {%- endif %}

templates/hydra-dispatcher-apps.yml.j2

@@ -4,9 +4,9 @@ hydra:
     - id: passwordless
       title: "{{ hydra_passwordless_app_title }}"
       description: "{{ hydra_passwordless_app_description }}"
-      login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
-      consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
-      logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
+      login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login
+      consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent
+      logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout
       attributes_rewrite_rules:
         email:
           - consent.session.id_token.email
@@ -16,9 +16,9 @@ hydra:
     - id: saml
       title: "{{ hydra_saml_app_title }}"
       description: "{{ hydra_saml_app_description }}"
-      login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
-      consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
-      logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
+      login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login
+      consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent
+      logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout
       attributes_rewrite_rules:
         email:
           - consent.session.id_token.email