Merge branch 'martin' into 'main'

Martin

See merge request !1

.gitignore

+files/*.crt
+files/*.key
+inventory/group_vars/all.yml
 inventory/group_vars/geodns.yml
+inventory/group_vars/mdsigner.yml
 .ssh/id_*

files/README

-Download GeoLite2 DB's from https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
+This directory should contain:
+
+ * GeoDNS config in yaml format
+ * mdsigner signing certificates (key_spec/cert_spec)

inventory/group_vars/all.yml → inventory/group_vars/all.yml.example

@@ -2,37 +2,27 @@
 
 tld: srv.mdx.incubator.geant.org
 
-hosts:
+proxies:
   et2:
     hostname: srv1
-    altname: 'server-md2.et2.com'
-
-    mdsigner:
-      test:
-        signer: hsm_signer
-        metadir: metadata/test
+    alias: 'server-md2.et2.com'
 
     mdproxy:
       test:
         signer: 'http://localhost:5001'
-        altname: 'test-md.et2.com'
+        realm_alias: 'test-md.et2.com'
       edugain:
         signer: 'http://srv2-signer.srv.mdx.incubator.geant.org'
-        altname: 'edugain-md.et2.com'
+        realm_alias: 'edugain-md.et2.com'
 
   mdxcdn:
     hostname: srv2
-    altname: 'server-md2.et2.com'
-
-    mdsigner:
-      edugain:
-        signer: hsm_signer
-        metadir: metadata/edugain
+    alias: 'server-md2.et2.com'
 
     mdproxy:
       test:
         signer: 'http://srv1-signer.srv.mdx.incubator.geant.org'
-        altname: 'test-md.foobar.com'
+        realm_alias: 'test-md.foobar.com'
       edugain:
         signer: 'http://localhost:5001'
 
@@ -42,20 +32,15 @@ hosts:
     mdproxy:
       test:
         signer: 'http://srv1-signer.srv.mdx.incubator.geant.org'
-        altname: 'test-md.barfoo.com'
+        realm_alias: 'test-md.barfoo.com'
       edugain:
         signer: 'http://srv2-signer.srv.mdx.incubator.geant.org'
 
   alternative-mdx:
     hostname: srv4
-    altname: 'server-md.example.com'
-
-    mdsigner:
-      foobar:
-        signer: normal_signer
-        metadir: metadata/test
+    alias: 'server-md.example.com'
 
     mdproxy:
       edugain:
         signer: 'http://srv2-signer.srv.mdx.incubator.geant.org'
-        altname: 'edugain-md.blabla.com'
+        realm_alias: 'edugain-md.blabla.com'

inventory/group_vars/geodns.yml.example

+geodns_licence: *************

inventory/group_vars/mdsigner.yml.example

+---
+
+signers_tld: srv.mdx.incubator.geant.org
+
+signers:
+  et2:
+    hostname: srv1
+    alias: mdx.et2.hu
+    mdsigner:
+      test:
+        name: hsm_signer
+        key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
+
+  mdxcdn:
+    hostname: srv2
+    alias: mdx.cdn.nl
+    mdsigner:
+      edugain:
+        name: hsm_signer
+        key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
+
+  alternative-mdx:
+    hostname: srv3
+    alias: mdx.alternative.nl
+    mdsigner:
+      test:
+        name: normal_signer
+        key_spec: "test.key"
+        cert_spec: "test.crt"
+      foobar:
+        name: hsm_signer
+        key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret

roles/apache/templates/md.conf.j2

-{% if hosts[inventory_hostname].get('mdsigner') %}
+{% if signers is defined and signers[inventory_hostname].get('mdsigner') %}
+# Signer configuration
 <VirtualHost *:80>
-        ServerName {{ hosts[inventory_hostname]['hostname'] }}-signer.{{ tld }}
-{% if hosts[inventory_hostname].get('altname') %}
-        ServerAlias {{ hosts[inventory_hostname]['altname'] }}
+        ServerName {{ signers[inventory_hostname]['hostname'] }}-signer.{{ signers_tld }}
+{% if signers[inventory_hostname].get('alias') %}
+        ServerAlias {{ signers[inventory_hostname]['alias'] }}
 {% endif %}
         DocumentRoot /var/www/html
         AllowEncodedSlashes NoDecode
         ProxyPass "/" "http://127.0.0.1:5001/" nocanon
         ProxyPassReverse "/" "http://127.0.0.1:5001/"
 </VirtualHost>
-{% endif %}
 
-{% if hosts[inventory_hostname].get('mdproxy') %}
+{% endif %}
+{% if proxies is defined and proxies[inventory_hostname].get('mdproxy') %}
+# Global proxy configuration
 <VirtualHost *:80>
-        ServerName {{ hosts[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
+        ServerName {{ proxies[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
+{% if proxies[inventory_hostname].get('alias') %}
+        ServerAlias {{ proxies[inventory_hostname]['alias'] }}
+{% endif %}
         DocumentRoot /var/www/html
         AllowEncodedSlashes NoDecode
         ProxyPass "/" "http://127.0.0.1:5002/" nocanon
         ProxyPassReverse "/" "http://127.0.0.1:5002/"
 </VirtualHost>
 
-{% set mdproxy = hosts[inventory_hostname]['mdproxy'] %}
+{% set mdproxy = proxies[inventory_hostname]['mdproxy'] %}
+# Realm specific proxy configuration
 {% for realm, values in mdproxy.items() %}
 <VirtualHost *:80>
         ServerName proxy-{{ realm }}.{{ tld }}
-{% if values.get('altname') %}
-        ServerAlias {{ values['altname'] }}
+{% if values.get('realm_alias') %}
+        ServerAlias {{ values['realm_alias'] }}
 {% endif %}
         DocumentRoot /var/www/html
         AllowEncodedSlashes NoDecode
@@ -34,3 +40,4 @@
 </VirtualHost>
 {% endfor %}
 {% endif %}
+

roles/geodns/tasks/main.yml

@@ -4,6 +4,7 @@
     state: present
     name:
       - netcat-openbsd
+      - ansible
 
 - name: Check if go binary exists
   stat:

roles/local/tasks/main.yml

 ---
-- name: Install packages
-  apt:
-    state: present
-    name:
-      - ansible
 
 - name: Clone MDX-SAAS-config repository
   ansible.builtin.git:

roles/mdproxy/templates/mdproxy.yaml.j2

 ---
-{{ hosts[inventory_hostname]['mdproxy'] | tojson }}
+{% set mdproxies = proxies[inventory_hostname]['mdproxy'] %}
+{% for realm, values in mdproxies.items() %}
+{{ realm }}:
+  signer: {{ values['signer'] }}
+{% endfor %}

roles/mdsigner/tasks/certificates.yml

+- name: check wheter we can copy certificates
+  ansible.builtin.stat:
+    path: "{{ playbook_dir }}/files/{{ item.value.key_spec }}"
+  delegate_to: localhost
+  become: no
+  register: key_spec
+
+- name: Copy certificates when key_spec exists
+  block:
+    - name: Copy Key spec
+      ansible.builtin.copy:
+        src: "{{ item.value.key_spec }}"
+        dest: "{{ altmdx_dir }}/{{ item.value.key_spec }}"
+    - name: Copy Cert spec
+      ansible.builtin.copy:
+        src: "{{ item.value.cert_spec }}"
+        dest: "{{ altmdx_dir }}/{{ item.value.cert_spec }}"
+  when: key_spec.stat.exists

roles/mdsigner/tasks/main.yml

@@ -22,22 +22,11 @@
     path: "{{ altmdx_metadir }}/{{ item.key }}"
     state: directory
     mode: '0755'
-  with_dict: "{{ hosts[inventory_hostname]['mdsigner'] }}"
+  with_dict: "{{ signers[inventory_hostname]['mdsigner'] }}"
 
-- name: Check existence of metadata signing cert
-  stat:
-    path: "{{ altmdx_metadir }}/meta.crt"
-  register: mdcert
-
-- name: create self-signed Metadata Signing SSL certs
-  shell: >
-    openssl genrsa -out "{{ altmdx_dir }}/meta.key" 2048;
-    openssl req -new -nodes -x509 -subj "/C=NL/CN=metadata"
-    -days 3650 -key "{{ altmdx_dir }}/meta.key"
-    -out "{{ altmdx_dir }}/meta.crt" -extensions v3_ca
-  args:
-    creates: "{{ altmdx_dir }}/meta.crt"
-  when: not mdcert.stat.exists
+- name: Copy certificates
+  include_tasks: certificates.yml
+  loop: "{{ signers[inventory_hostname]['mdsigner'] | dict2items }}"
 
 - name: Copy mdsigner service files
   ansible.builtin.template:

roles/mdsigner/templates/mdsigner.yaml.j2

 ---
-{{ hosts[inventory_hostname]['mdsigner'] | to_yaml }}
+{% set mdsigners = signers[inventory_hostname]['mdsigner'] %}
+{% for realm, values in mdsigners.items() %}
+{{ realm }}:
+  signer:
+    name: {{ values['name'] }}
+    key_spec: {{ values.key_spec }}
+    cert_spec: {{ values.get('cert_spec') }}
+  metadir: metadata/{{ realm }}
+{% endfor %}