forked from rciam/rciam-deploy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
secrets.yml
143 lines (117 loc) · 5.68 KB
/
secrets.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# file: secrets.yml
---
- hosts: 127.0.0.1
connection: local
vars:
- secrets_generator_file: secrets_env.yml
- path_of_secrets_generator_file: config/PLACEHOLDER
- rciam_hostname: "www.example.com"
tasks:
- name: Include OS-specific variables
include_vars: "config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER"
- name: "Check if {{ path_of_secrets_generator_file }}/{{ secrets_generator_file }} file exists"
stat:
path: "config/PLACEHOLDER/secrets_env.yml"
register: secrets_file
- name: Create new secretes file
command: "cp -p config/PLACEHOLDER/secrets_env.yml.PLACEHOLDER {{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
when: secrets_file.stat.exists == False
- name: "Set permissions of {{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
file:
path: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
state: file
mode: 0600
when: secrets_file.stat.exists == False
- name: Generate self-signed SP certificates
command : "openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj \"/CN={{ rciam_hostname }}\" -nodes -out sp-{{ item.name }}.crt -keyout sp-{{ item.name }}.key"
args:
chdir: config/PLACEHOLDER/
no_log: true
register: new_sp_certificate
with_items: "{{ ssp_authsources_saml }}"
when: secrets_file.stat.exists == False
- name: Generate self-signed IdP certificates
command : "openssl req -newkey rsa:2048 -new -x509 -days 3652 -subj \"/CN={{ rciam_hostname }}\" -nodes -out idp-{{ item.entity_id }}.crt -keyout idp-{{ item.entity_id }}.key"
args:
chdir: config/PLACEHOLDER/
no_log: true
register: new_sp_certificate
with_items: "{{ ssp_idp_hosts }}"
when: secrets_file.stat.exists == False
- name: Fill in random genarated passwords & salts
lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.regex }}"
line: "{{ item.replace_with }}"
state: present
no_log: true
loop:
- { regex: '^ssp_secretsalt: CHANGEME', replace_with: "ssp_secretsalt: \"{{ lookup('password', '/dev/null length=33 chars=ascii_lowercase,digits') }}\"" }
- { regex: '^ssp_adminpassword: CHANGEME', replace_with: "ssp_adminpassword: \"{{ lookup('password', '/dev/null length=15 chars=ascii_lowercase,digits') }}\"" }
- { regex: '^ssp_adminpassword_salt: CHANGEME', replace_with: "ssp_adminpassword_salt: \"{{ lookup('password', '/dev/null length=15 chars=ascii_lowercase,digits') }}\"" }
- { regex: '^ssp_mod_cron_secret: CHANGEME', replace_with: "ssp_mod_cron_secret: \"{{ lookup('password', '/dev/null length=33 chars=ascii_lowercase,digits') }}\"" }
when: secrets_file.stat.exists == False
- name: Fill in certificate cn
replace:
path: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "ssl_certificate_cn: CHANGEME"
replace: "ssl_certificate_cn: {{ rciam_hostname }}"
when: secrets_file.stat.exists == False
- name: Fill in SP self-signed certificates
lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.ssl_certificate }}"
line: " {{ lookup('file', 'config/PLACEHOLDER/sp-{{ item.name }}.crt') | indent(width=6) }}"
state: present
with_items: "{{ ssp_authsources_saml }}"
when: secrets_file.stat.exists == False
- name: Fill in IdP self-signed certificates
lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.ssl_certificate }}"
line: " {{ lookup('file', 'config/PLACEHOLDER/idp-{{ item.entity_id }}.crt') | indent(width=6) }}"
state: present
with_items: "{{ ssp_idp_hosts }}"
when: secrets_file.stat.exists == False
- name: Fill in SP self-signed certificate keys
lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.ssl_certificate_key }}"
line: " {{ lookup('file', 'config/PLACEHOLDER/sp-{{ item.name }}.key') | indent(width=6) }}"
state: present
no_log: true
with_items: "{{ vault_ssp_authsources_saml }}"
when: secrets_file.stat.exists == False
- name: Fill in IdP self-signed certificate keys
lineinfile:
dest: "{{ path_of_secrets_generator_file }}/{{ secrets_generator_file }}"
regexp: "{{ item.ssl_certificate_key }}"
line: " {{ lookup('file', 'config/PLACEHOLDER/idp-{{ item.entity_id }}.key') | indent(width=6) }}"
state: present
no_log: true
with_items: "{{ vault_ssp_idp_hosts }}"
when: secrets_file.stat.exists == False
- name: Delete SP certificates
file:
path: "config/PLACEHOLDER/sp-{{ item.name }}.crt"
state: absent
with_items: "{{ ssp_authsources_saml }}"
when: secrets_file.stat.exists == False
- name: Delete SP certificate keys
file:
path: "config/PLACEHOLDER/sp-{{ item.name }}.key"
state: absent
with_items: "{{ ssp_authsources_saml }}"
when: secrets_file.stat.exists == False
- name: Delete IdP certificates
file:
path: "config/PLACEHOLDER/idp-{{ item.entity_id }}.crt"
state: absent
with_items: "{{ ssp_idp_hosts }}"
when: secrets_file.stat.exists == False
- name: Delete IdP certificate keys
file:
path: "config/PLACEHOLDER/idp-{{ item.entity_id }}.key"
state: absent
with_items: "{{ ssp_idp_hosts }}"
when: secrets_file.stat.exists == False