312 lines
12 KiB
YAML
312 lines
12 KiB
YAML
---
|
|
install_only: false
|
|
|
|
# cadoles-pod repository configuration
|
|
cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
|
|
cadoles_pod_debian_repository: bullseye-dev
|
|
cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
|
|
|
|
# packages versions
|
|
haproxy_package_version: '*'
|
|
cadoles_pod_hydra_v1_package_version: '*'
|
|
cadoles_pod_hydra_dispatcher_v1_package_version: '*'
|
|
cadoles_pod_shibboleth_sp_v3_package_version: '*'
|
|
cadoles_pod_hydra_remote_user_v1_package_version: '*'
|
|
cadoles_pod_hydra_passwordless_v1_package_version: '*'
|
|
cadoles_pod_hydra_oidc_v1_package_version: '*'
|
|
cadoles_pod_hydra_ldap_v1_package_version: '*'
|
|
|
|
# Hydra database configuration
|
|
hydra_use_external_database: false
|
|
hydra_auto_migrate: false
|
|
hydra_database_name: hydra
|
|
hydra_database_user: hydra
|
|
hydra_database_password: hydra
|
|
hydra_database_host: 10.0.2.2
|
|
hydra_database_port: 3306
|
|
|
|
# HAProxy configuration
|
|
|
|
haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
|
|
|
|
haproxy_hydra_base_path: /auth
|
|
haproxy_hydra_dispatcher_base_path: /auth/dispatcher
|
|
haproxy_hydra_passwordless_base_path: /auth/passwordless
|
|
haproxy_hydra_saml_base_path: /auth/saml
|
|
haproxy_hydra_oidc_base_path: /auth/oidc
|
|
haproxy_hydra_ldap_base_path: /auth/ldap
|
|
haproxy_oidc_test_base_path: /auth/test
|
|
|
|
haproxy_forwarded_proto: https
|
|
haproxy_forwarded_host: "%[req.hdr(Host)]"
|
|
|
|
# Hydra OIDC configuration
|
|
|
|
hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_base_path }}"
|
|
hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent"
|
|
hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login"
|
|
hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout"
|
|
hydra_url_post_logout: "{{ haproxy_public_base_url }}"
|
|
hydra_urls_error: "{{ haproxy_public_base_url }}/erreur"
|
|
hydra_public_cors_allowed_origins: []
|
|
|
|
hydra_log_level: warn
|
|
hydra_log_leak_sensitive_values: no
|
|
|
|
# Durée de vie des "refresh_token"
|
|
hydra_ttl_refresh_token: "24h"
|
|
|
|
hydra_bcrypt_cost: 8
|
|
|
|
# This value should not be changed after first deployment !
|
|
hydra_secrets_seed: "{{ inventory_hostname }}"
|
|
|
|
# Hydra clients
|
|
|
|
hydra_clients:
|
|
- client_id: default-client
|
|
client_name: Default client
|
|
|
|
# Hydra dispatcher configuration
|
|
|
|
enable_hydra_dispatcher: true
|
|
hydra_dispatcher_cookie_path: "{{ haproxy_hydra_dispatcher_base_path }}"
|
|
hydra_dispatcher_debug: no
|
|
hydra_dispatcher_admin_authorized_hosts:
|
|
- '10.0.0.0/8'
|
|
- '172.16.0.0/12'
|
|
- '192.168.0.0/16'
|
|
hydra_dispatcher_default_locale: fr
|
|
hydra_dispatcher_available_locales:
|
|
- fr
|
|
- en
|
|
hydra_dispatcher_sentry_dsn:
|
|
hydra_dispatcher_sentry_environment:
|
|
hydra_dispatcher_mounts: []
|
|
hydra_dispatcher_disable_app_auto_select: true
|
|
hydra_dispatcher_webhook: false
|
|
hydra_dispatcher_webhook_api_url:
|
|
hydra_dispatcher_webhook_api_key: YouNeedToChangeMe
|
|
hydra_dispatcher_webhook_rules:
|
|
email:
|
|
required: false
|
|
pattern:
|
|
family_name:
|
|
required: false
|
|
given_name:
|
|
required: false
|
|
birthdate:
|
|
required: false
|
|
birthplace:
|
|
required: false
|
|
birthcountry:
|
|
required: false
|
|
crous:
|
|
required: false
|
|
idpve:
|
|
required: false
|
|
sub:
|
|
required: false
|
|
# Hydra Passwordless configuration
|
|
|
|
enable_hydra_passwordless: yes
|
|
hydra_passwordless_app_title:
|
|
fr: Adresse courriel
|
|
hydra_passwordless_app_description:
|
|
fr: Authentification via adresse courriel
|
|
hydra_passwordless_app_icon_url: https://upload.wikimedia.org/wikipedia/commons/4/48/You%27ve_got_mail.png
|
|
hydra_passwordless_identity_provider_id: passwordless
|
|
hydra_passwordless_smtp_host: smtp-server
|
|
hydra_passwordless_smtp_port: 25
|
|
hydra_passwordless_smtp_user: smtp-user
|
|
hydra_passwordless_smtp_password: smtp-password
|
|
hydra_passwordless_smtp_insecure_skip_verify: no
|
|
hydra_passwordless_smtp_use_start_tls: no
|
|
hydra_passwordless_sender_address: noreply@localhost
|
|
hydra_passwordless_sender_name: "[hydra-passwordless]"
|
|
hydra_passwordless_attributes_rewrite_rules:
|
|
email:
|
|
- "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
|
|
email_verified:
|
|
- "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
|
|
family_name:
|
|
- "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
|
|
given_name:
|
|
- "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
|
|
birthdate:
|
|
- "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null"
|
|
gender:
|
|
- "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null"
|
|
birthplace:
|
|
- "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null"
|
|
birthcountry:
|
|
- "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null"
|
|
roles:
|
|
- "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []"
|
|
|
|
# Hydra SAML configuration
|
|
|
|
enable_hydra_saml: yes
|
|
hydra_saml_app_title:
|
|
fr: SAML
|
|
hydra_saml_app_description:
|
|
fr: Authentification via SAML
|
|
hydra_saml_app_icon_url:
|
|
hydra_saml_identity_provider_id: saml
|
|
hydra_saml_idp_entity_id: https://samltest.id/saml/idp
|
|
hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
|
|
hydra_saml_app_options:
|
|
icon_url:
|
|
fr:
|
|
|
|
# Liste des URLs autorisées pour la redirection post-login/logout sur le service shibboleth-sp
|
|
hydra_saml_allowed_redirects: []
|
|
|
|
# Chemin associé au cookie du service hydra-remote-user
|
|
hydra_saml_cookie_path: "{{ haproxy_hydra_saml_base_path }}"
|
|
|
|
# Activer/désactiver le mode "debug" du service shibboleth-sp
|
|
hydra_saml_debug: no
|
|
|
|
# Niveau de verbosité du service shibboleth-sp
|
|
hydra_saml_sp_log_level: WARN
|
|
|
|
# Inclure les règles de cartographie des attributs SAML fournis par défaut par le projet hydra-shibboleth-sp-v3
|
|
hydra_saml_include_sp_default_attributes_mapping: "yes"
|
|
|
|
# Inclure les règles de filtrages des attributs SAML fournis par défaut par le projet hydra-shibboleth-sp-v3
|
|
hydra_saml_include_sp_default_attributes_policy: "yes"
|
|
|
|
# Règles de sélection et réécritures des attributs du jeton OIDC
|
|
# en provenance de la login-app sélectionnée
|
|
hydra_saml_attributes_rewrite_rules:
|
|
email:
|
|
- "consent.session.id_token.email ? consent.session.id_token.email : null"
|
|
family_name:
|
|
- "consent.session.id_token.family_name ? consent.session.id_token.family_name : null"
|
|
given_name:
|
|
- "consent.session.id_token.given_name ? consent.session.id_token.given_name : null"
|
|
birthdate:
|
|
- "consent.session.id_token.given_name ? consent.session.id_token.birthdate : null"
|
|
gender:
|
|
- "consent.session.id_token.given_name ? consent.session.id_token.gender : null"
|
|
birthplace:
|
|
- "consent.session.id_token.given_name ? consent.session.id_token.birthplace : null"
|
|
birthcountry:
|
|
- "consent.session.id_token.given_name ? consent.session.id_token.birthcountry : null"
|
|
roles:
|
|
- "consent.session.id_token.roles ? consent.session.id_token.roles : null"
|
|
|
|
# Entête HTTP utilisée pour identifier l'utilisateur connecté
|
|
hydra_saml_subject_header: subject-id
|
|
|
|
# Liste des entêtes HTTP utilisées et transformées en attributs
|
|
# pour le jeton OIDC
|
|
hydra_saml_headers_attributes_mapping:
|
|
- header: mail
|
|
attribute: email
|
|
required: true
|
|
|
|
saml_attributes:
|
|
- id: uid
|
|
name: urn:oid:0.9.2342.19200300.100.1.1
|
|
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
|
|
- id: mail
|
|
name: urn:oid:0.9.2342.19200300.100.1.3
|
|
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
|
|
|
|
saml_attribute_policies: []
|
|
|
|
# OIDC Test configuration
|
|
|
|
enable_oidc_test_app: yes
|
|
oidc_test_app_client_id: oidc-test
|
|
oidc_test_app_client_secret: '$oidc-test&123456$'
|
|
oidc_test_app_public_base_url: "{{ haproxy_public_base_url }}{{ haproxy_oidc_test_base_path }}"
|
|
|
|
# Hydra OIDC configuration
|
|
|
|
enable_hydra_oidc: no
|
|
hydra_oidc_debug: no
|
|
hydra_oidc_hydra_url_error:
|
|
hydra_oidc_base_url:
|
|
hydra_oidc_cookie_path: "{{ haproxy_hydra_oidc_base_path }}"
|
|
hydra_oidc_app_title:
|
|
fr: OIDC
|
|
hydra_oidc_app_description:
|
|
fr: Authentification via OIDC
|
|
hydra_oidc_app_icon_url: https://openid.net/wordpress-content/uploads/2014/09/openid-r-logo-900x360.png
|
|
hydra_oidc_identity_provider_id: oidc
|
|
hydra_oidc_authorize_endpoint:
|
|
hydra_oidc_token_endpoint:
|
|
hydra_oidc_userinfo_endpoint:
|
|
hydra_oidc_logout_endpoint:
|
|
hydra_oidc_post_logout_redirect_url:
|
|
hydra_oidc_scope: openid email
|
|
hydra_oidc_client_id:
|
|
hydra_oidc_client_secret:
|
|
hydra_oidc_additionnal_env: {}
|
|
hydra_oidc_app_options:
|
|
icon_url:
|
|
fr:
|
|
hydra_oidc_attributes_rewrite_rules:
|
|
email:
|
|
- "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
|
|
email_verified:
|
|
- "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
|
|
family_name:
|
|
- "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
|
|
given_name:
|
|
- "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
|
|
birthdate:
|
|
- "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null"
|
|
gender:
|
|
- "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null"
|
|
birthplace:
|
|
- "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null"
|
|
birthcountry:
|
|
- "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null"
|
|
roles:
|
|
- "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []"
|
|
|
|
# Hydra LDAP configuration
|
|
|
|
enable_hydra_ldap: no
|
|
hydra_ldap_app_title:
|
|
fr: LDAP
|
|
hydra_ldap_app_description:
|
|
fr: Authentification via LDAP
|
|
hydra_ldap_app_icon_url:
|
|
hydra_ldap_dev_mode: false
|
|
hydra_ldap_attributes_rewrite_rules:
|
|
email:
|
|
- "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
|
|
email_verified:
|
|
- "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
|
|
family_name:
|
|
- "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
|
|
given_name:
|
|
- "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
|
|
birthdate:
|
|
- "property_exists(consent.session.id_token, 'birthdate') ? consent.session.id_token.birthdate : null"
|
|
gender:
|
|
- "property_exists(consent.session.id_token, 'gender') ? consent.session.id_token.gender : null"
|
|
birthplace:
|
|
- "property_exists(consent.session.id_token, 'birthplace') ? consent.session.id_token.birthplace : null"
|
|
birthcountry:
|
|
- "property_exists(consent.session.id_token, 'birthcountry') ? consent.session.id_token.birthcountry : null"
|
|
roles:
|
|
- "property_exists(consent.session.id_token, 'roles') ? consent.session.id_token.roles : []"
|
|
hydra_ldap_endpoints: []
|
|
hydra_ldap_bind_dn:
|
|
hydra_ldap_bind_password:
|
|
hydra_ldap_base_dn:
|
|
hydra_ldap_user_search_query: "(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=%[1]s)))"
|
|
hydra_ldap_role_search_query: "(&(memberUid=%[1]s)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
|
|
hydra_ldap_attr_claims: "sn:family_name,givenName:given_name,mail:email"
|
|
hydra_ldap_role_base_dn:
|
|
hydra_ldap_role_attr: cn
|
|
hydra_ldap_use_tls: false
|
|
hydra_ldap_role_claim: roles
|
|
hydra_ldap_claim_scopes: "name:profile,family_name:profile,given_name:profile,email:email,roles:roles"
|