--- install_only: false # cadoles-pod repository configuration cadoles_pod_debian_repository_url: https://vulcain.cadoles.com cadoles_pod_debian_repository: bullseye-dev cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg # packages versions haproxy_package_version: '*' cadoles_pod_hydra_v1_package_version: '*' cadoles_pod_hydra_dispatcher_v1_package_version: '*' cadoles_pod_shibboleth_sp_v3_package_version: '*' cadoles_pod_hydra_remote_user_v1_package_version: '*' cadoles_pod_hydra_passwordless_v1_package_version: '*' cadoles_pod_hydra_oidc_v1_package_version: '*' cadoles_pod_hydra_ldap_v1_package_version: '*' # Hydra database configuration hydra_use_external_database: false hydra_auto_migrate: false hydra_database_name: hydra hydra_database_user: hydra hydra_database_password: hydra hydra_database_host: 10.0.2.2 hydra_database_port: 3306 # HAProxy configuration haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }} haproxy_hydra_base_path: /auth haproxy_hydra_dispatcher_base_path: /auth/dispatcher haproxy_hydra_passwordless_base_path: /auth/passwordless haproxy_hydra_saml_base_path: /auth/saml haproxy_hydra_oidc_base_path: /auth/oidc haproxy_hydra_ldap_base_path: /auth/ldap haproxy_oidc_test_base_path: /auth/test haproxy_forwarded_proto: https haproxy_forwarded_host: "%[req.hdr(Host)]" # Hydra OIDC configuration hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_base_path }}" hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent" hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login" hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout" hydra_url_post_logout: "{{ haproxy_public_base_url }}" hydra_urls_error: "{{ haproxy_public_base_url }}/erreur" hydra_public_cors_allowed_origins: [] hydra_log_level: warn hydra_log_leak_sensitive_values: no # Durée de vie des "refresh_token" hydra_ttl_refresh_token: "24h" hydra_bcrypt_cost: 8 # This value should not be changed after first deployment ! hydra_secrets_seed: "{{ inventory_hostname }}" # Hydra clients hydra_clients: - client_id: default-client client_name: Default client # Hydra dispatcher configuration enable_hydra_dispatcher: true hydra_dispatcher_cookie_path: "{{ haproxy_hydra_dispatcher_base_path }}" hydra_dispatcher_debug: no hydra_dispatcher_admin_authorized_hosts: - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' hydra_dispatcher_default_locale: fr hydra_dispatcher_available_locales: - fr - en hydra_dispatcher_sentry_dsn: hydra_dispatcher_sentry_environment: hydra_dispatcher_mounts: [] hydra_dispatcher_disable_app_auto_select: true hydra_dispatcher_webhook: false hydra_dispatcher_webhook_api_url: hydra_dispatcher_webhook_api_key: YouNeedToChangeMe hydra_dispatcher_webhook_rules: email: required: false pattern: family_name: required: false given_name: required: false birthdate: required: false birthplace: required: false birthcountry: required: false crous: required: false idpve: required: false sub: required: false # Hydra Passwordless configuration enable_hydra_passwordless: yes hydra_passwordless_app_title: fr: Adresse courriel hydra_passwordless_app_description: fr: Authentification via adresse courriel hydra_passwordless_app_icon_url: https://upload.wikimedia.org/wikipedia/commons/4/48/You%27ve_got_mail.png hydra_passwordless_identity_provider_id: passwordless hydra_passwordless_smtp_host: smtp-server hydra_passwordless_smtp_port: 25 hydra_passwordless_smtp_user: smtp-user hydra_passwordless_smtp_password: smtp-password hydra_passwordless_smtp_insecure_skip_verify: no hydra_passwordless_smtp_use_start_tls: no hydra_passwordless_sender_address: noreply@localhost hydra_passwordless_sender_name: "[hydra-passwordless]" hydra_passwordless_attributes_rewrite_rules: email: - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" email_verified: - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false" family_name: - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" given_name: - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" birthdate: - "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null" gender: - "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null" birthplace: - "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null" birthcountry: - "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null" roles: - "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []" # Hydra SAML configuration enable_hydra_saml: yes hydra_saml_app_title: fr: SAML hydra_saml_app_description: fr: Authentification via SAML hydra_saml_app_icon_url: hydra_saml_identity_provider_id: saml hydra_saml_idp_entity_id: https://samltest.id/saml/idp hydra_saml_idp_metadata_url: https://samltest.id/saml/idp hydra_saml_app_options: icon_url: fr: # Liste des URLs autorisées pour la redirection post-login/logout sur le service shibboleth-sp hydra_saml_allowed_redirects: [] # Chemin associé au cookie du service hydra-remote-user hydra_saml_cookie_path: "{{ haproxy_hydra_saml_base_path }}" # Activer/désactiver le mode "debug" du service shibboleth-sp hydra_saml_debug: no # Niveau de verbosité du service shibboleth-sp hydra_saml_sp_log_level: WARN # Inclure les règles de cartographie des attributs SAML fournis par défaut par le projet hydra-shibboleth-sp-v3 hydra_saml_include_sp_default_attributes_mapping: "yes" # Inclure les règles de filtrages des attributs SAML fournis par défaut par le projet hydra-shibboleth-sp-v3 hydra_saml_include_sp_default_attributes_policy: "yes" # Règles de sélection et réécritures des attributs du jeton OIDC # en provenance de la login-app sélectionnée hydra_saml_attributes_rewrite_rules: email: - "consent.session.id_token.email ? consent.session.id_token.email : null" family_name: - "consent.session.id_token.family_name ? consent.session.id_token.family_name : null" given_name: - "consent.session.id_token.given_name ? consent.session.id_token.given_name : null" birthdate: - "consent.session.id_token.given_name ? consent.session.id_token.birthdate : null" gender: - "consent.session.id_token.given_name ? consent.session.id_token.gender : null" birthplace: - "consent.session.id_token.given_name ? consent.session.id_token.birthplace : null" birthcountry: - "consent.session.id_token.given_name ? consent.session.id_token.birthcountry : null" roles: - "consent.session.id_token.roles ? consent.session.id_token.roles : null" # Entête HTTP utilisée pour identifier l'utilisateur connecté hydra_saml_subject_header: subject-id # Liste des entêtes HTTP utilisées et transformées en attributs # pour le jeton OIDC hydra_saml_headers_attributes_mapping: - header: mail attribute: email required: true saml_attributes: - id: uid name: urn:oid:0.9.2342.19200300.100.1.1 nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri - id: mail name: urn:oid:0.9.2342.19200300.100.1.3 nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri saml_attribute_policies: [] # OIDC Test configuration enable_oidc_test_app: yes oidc_test_app_client_id: oidc-test oidc_test_app_client_secret: '$oidc-test&123456$' oidc_test_app_public_base_url: "{{ haproxy_public_base_url }}{{ haproxy_oidc_test_base_path }}" # Hydra OIDC configuration enable_hydra_oidc: no hydra_oidc_debug: no hydra_oidc_hydra_url_error: hydra_oidc_base_url: hydra_oidc_cookie_path: "{{ haproxy_hydra_oidc_base_path }}" hydra_oidc_app_title: fr: OIDC hydra_oidc_app_description: fr: Authentification via OIDC hydra_oidc_app_icon_url: https://openid.net/wordpress-content/uploads/2014/09/openid-r-logo-900x360.png hydra_oidc_identity_provider_id: oidc hydra_oidc_authorize_endpoint: hydra_oidc_token_endpoint: hydra_oidc_userinfo_endpoint: hydra_oidc_logout_endpoint: hydra_oidc_post_logout_redirect_url: hydra_oidc_scope: openid email hydra_oidc_client_id: hydra_oidc_client_secret: hydra_oidc_additionnal_env: {} hydra_oidc_app_options: icon_url: fr: hydra_oidc_attributes_rewrite_rules: email: - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" email_verified: - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false" family_name: - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" given_name: - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" birthdate: - "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null" gender: - "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null" birthplace: - "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null" birthcountry: - "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null" roles: - "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []" # Hydra LDAP configuration enable_hydra_ldap: no hydra_ldap_app_title: fr: LDAP hydra_ldap_app_description: fr: Authentification via LDAP hydra_ldap_app_icon_url: hydra_ldap_dev_mode: false hydra_ldap_attributes_rewrite_rules: email: - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" email_verified: - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false" family_name: - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" given_name: - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" birthdate: - "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null" gender: - "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null" birthplace: - "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null" birthcountry: - "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null" roles: - "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []" hydra_ldap_endpoints: [] hydra_ldap_bind_dn: hydra_ldap_bind_password: hydra_ldap_base_dn: hydra_ldap_user_search_query: "(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=%[1]s)))" hydra_ldap_role_search_query: "(&(memberUid=%[1]s)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" hydra_ldap_attr_claims: "sn:family_name,givenName:given_name,mail:email" hydra_ldap_role_base_dn: hydra_ldap_role_attr: cn hydra_ldap_use_tls: false hydra_ldap_role_claim: roles hydra_ldap_claim_scopes: "name:profile,family_name:profile,given_name:profile,email:email,roles:roles"