From b245d6cc72bf6751454d04f10c13fea1ee141d89 Mon Sep 17 00:00:00 2001 From: William Petit Date: Thu, 21 Jul 2022 10:04:17 +0200 Subject: [PATCH] feat: use become for tasks and refactoring --- defaults/main.yml | 1 + handlers/main.yml | 11 ++++++----- tasks/hydra-database.yml | 31 +++++++++++++++++++++++++++++++ tasks/hydra-passwordless.yml | 4 +++- tasks/hydra-saml.yml | 8 +++++++- tasks/main.yml | 32 +++++++++++--------------------- tasks/oidc-test.yml | 14 +++++++++++++- 7 files changed, 72 insertions(+), 29 deletions(-) create mode 100644 tasks/hydra-database.yml diff --git a/defaults/main.yml b/defaults/main.yml index 7ffcd1a..1f1be3f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,7 @@ cadoles_pod_debian_repository: bullseye-dev cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg # Hydra database configuration +hydra_use_external_database: no hydra_database_name: hydra hydra_database_user: hydra hydra_database_password: hydra diff --git a/handlers/main.yml b/handlers/main.yml index 25fc327..9437d09 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,33 +3,34 @@ service: name: haproxy state: restarted + become: true - name: Restart cadoles-pod-hydra-v1 service: name: cadoles-pod-hydra-v1 state: restarted + become: true - name: Restart cadoles-pod-hydra-dispatcher-v1 service: name: cadoles-pod-hydra-dispatcher-v1 state: restarted + become: true - name: Restart cadoles-pod-hydra-passwordless-v1 service: name: cadoles-pod-hydra-passwordless-v1 state: restarted + become: true - name: Restart cadoles-pod-hydra-remote-user-v1 service: name: cadoles-pod-hydra-remote-user-v1 state: restarted + become: true - name: Restart cadoles-pod-shibboleth-sp-v3 service: name: cadoles-pod-shibboleth-sp-v3 state: restarted - -- name: Restart MySQL - service: - name: mysql - state: restarted \ No newline at end of file + become: true \ No newline at end of file diff --git a/tasks/hydra-database.yml b/tasks/hydra-database.yml new file mode 100644 index 0000000..2e16126 --- /dev/null +++ b/tasks/hydra-database.yml @@ -0,0 +1,31 @@ +--- + +- name: Install local database required packages + ansible.builtin.apt: + name: + - mariadb-server + - python3-pip + update_cache: yes + state: latest + become: true + +- name: Install PyMySQL python package + ansible.builtin.pip: + name: PyMySQL + become: true + +- name: Create Hydra database + community.mysql.mysql_db: + name: "{{ hydra_database_name }}" + login_unix_socket: /var/run/mysqld/mysqld.sock + state: present + become: true + +- name: Create Hydra database user + community.mysql.mysql_user: + name: "{{ hydra_database_user }}" + password: "{{ hydra_database_password }}" + login_unix_socket: /var/run/mysqld/mysqld.sock + priv: '{{ hydra_database_name }}.*:ALL,GRANT' + state: present + become: true \ No newline at end of file diff --git a/tasks/hydra-passwordless.yml b/tasks/hydra-passwordless.yml index 0ef4108..e9d8664 100644 --- a/tasks/hydra-passwordless.yml +++ b/tasks/hydra-passwordless.yml @@ -6,6 +6,7 @@ - cadoles-pod-hydra-passwordless-v1 update_cache: yes state: latest + become: true - name: Configure cadoles-pod-hydra-passwordless-v1 template: @@ -15,4 +16,5 @@ - src: cadoles-pod-hydra-passwordless-v1.conf.j2 dest: /etc/cadoles-pod-hydra-passwordless-v1.conf notify: - - Restart cadoles-pod-hydra-passwordless-v1 \ No newline at end of file + - Restart cadoles-pod-hydra-passwordless-v1 + become: true \ No newline at end of file diff --git a/tasks/hydra-saml.yml b/tasks/hydra-saml.yml index 009f1d8..e5487d6 100644 --- a/tasks/hydra-saml.yml +++ b/tasks/hydra-saml.yml @@ -7,6 +7,7 @@ - cadoles-pod-hydra-remote-user-v1 update_cache: yes state: latest + become: true - name: Configure cadoles-pod-hydra-remote-user-v1 template: @@ -19,6 +20,7 @@ dest: /etc/hydra-remote-user/conf.d/remote-user.yml notify: - Restart cadoles-pod-hydra-remote-user-v1 + become: true - name: Configure cadoles-pod-hydra-remote-user-v1 (2) ansible.builtin.copy: @@ -26,6 +28,7 @@ dest: /etc/hydra-remote-user/apache.conf notify: - Restart cadoles-pod-hydra-remote-user-v1 + become: true - name: Create cadoles-pod-shibboleth-sp-v3 expected directories file: @@ -34,6 +37,7 @@ with_items: - /etc/shibboleth - /etc/shibboleth/credentials + become: true - name: Configure cadoles-pod-shibboleth-sp-v3 ansible.builtin.template: @@ -46,10 +50,12 @@ dest: /etc/shibboleth/attribute-map.inc.xml notify: - Restart cadoles-pod-shibboleth-sp-v3 + become: true - name: Configure cadoles-pod-shibboleth-sp-v3 (2) ansible.builtin.copy: src: shibboleth2.xml.gotmpl dest: /etc/shibboleth/shibboleth2.xml.gotmpl notify: - - Restart cadoles-pod-shibboleth-sp-v3 \ No newline at end of file + - Restart cadoles-pod-shibboleth-sp-v3 + become: true \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 65b3cb7..e29db4c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,50 +8,39 @@ - openssl update_cache: yes state: present + become: true - name: Add LetsEncrypt missing intermediate certificates command: "bash -c 'wget -O- --no-check-certificate https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash'" args: creates: /etc/ssl/certs/lets-encrypt-e1.pem.pem + become: true - name: Add cadoles-pod debian repository key ansible.builtin.apt_key: url: "{{ cadoles_pod_debian_repository_key_url }}" state: present + become: true - name: Configure cadoles-pod debian repository ansible.builtin.apt_repository: repo: "deb {{ cadoles_pod_debian_repository_url }} {{ cadoles_pod_debian_repository }} main" state: present + become: true - name: Install core packages ansible.builtin.apt: name: - haproxy - - mariadb-server - - python3-pip - cadoles-pod-hydra-v1 - cadoles-pod-hydra-dispatcher-v1 update_cache: yes state: latest + become: true -- name: Install PyMySQL python package - ansible.builtin.pip: - name: PyMySQL - -- name: Create Hydra database - community.mysql.mysql_db: - name: "{{ hydra_database_name }}" - login_unix_socket: /var/run/mysqld/mysqld.sock - state: present - -- name: Create Hydra database user - community.mysql.mysql_user: - name: "{{ hydra_database_user }}" - password: "{{ hydra_database_password }}" - login_unix_socket: /var/run/mysqld/mysqld.sock - priv: '{{ hydra_database_name }}.*:ALL,GRANT' - state: present +- name: Configure Hydra local database + ansible.builtin.include_tasks: hydra-database.yml + when: not hydra_use_external_database - name: Configure HAProxy template: @@ -60,6 +49,7 @@ validate: "haproxy -c -f %s" notify: - Restart HAProxy + become: true - name: Configure cadoles-pod-hydra-v1 template: @@ -68,10 +58,9 @@ with_items: - src: cadoles-pod-hydra-v1.conf.j2 dest: /etc/cadoles-pod-hydra-v1.conf - - src: oidc-test-client.json.j2 - dest: /etc/hydra/clients.d/oidc-test.json notify: - Restart cadoles-pod-hydra-v1 + become: true - name: Configure cadoles-pod-hydra-dispatcher-v1 template: @@ -84,6 +73,7 @@ dest: /etc/hydra-dispatcher/conf.d/apps.yml notify: - Restart cadoles-pod-hydra-dispatcher-v1 + become: true - name: Configure passwordless authentification if enabled ansible.builtin.include_tasks: hydra-passwordless.yml diff --git a/tasks/oidc-test.yml b/tasks/oidc-test.yml index 5b8be05..f4fb3cd 100644 --- a/tasks/oidc-test.yml +++ b/tasks/oidc-test.yml @@ -1,5 +1,16 @@ --- +- name: Create oidc-test OpenID Connect client configuration + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: oidc-test-client.json.j2 + dest: /etc/hydra/clients.d/oidc-test.json + notify: + - Restart cadoles-pod-hydra-v1 + become: true + - name: Start oidc-test app containers.podman.podman_container: name: oidc-test @@ -14,4 +25,5 @@ OIDC_ISSUER_URL: "http://{{ public_host }}/" OIDC_REDIRECT_URL: "http://{{ public_host }}:8080" OIDC_POST_LOGOUT_REDIRECT_URL: "http://{{ public_host }}:8080" - HTTP_ADDRESS: 0.0.0.0:8080 \ No newline at end of file + HTTP_ADDRESS: 0.0.0.0:8080 + become: true \ No newline at end of file