diff --git a/.gitignore b/.gitignore
index 9ceecccd3893a2881311259929f7f1164800f065..508a6ea717bf441d3291324c3df9c9db3e1e907f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,6 @@
+files/*.crt
+files/*.key
+inventory/group_vars/all.yml
inventory/group_vars/geodns.yml
+inventory/group_vars/mdsigner.yml
.ssh/id_*
diff --git a/files/GeoLite2-Country.mmdb b/files/GeoLite2-Country.mmdb
deleted file mode 100644
index fcc7618fad247a69a847639e4a93647deadc793a..0000000000000000000000000000000000000000
Binary files a/files/GeoLite2-Country.mmdb and /dev/null differ
diff --git a/files/README b/files/README
index 2883bb9ce2e3b39cfa99fb63a5af7991b8b55e57..22681f3814b574942948df172bbecd4632397775 100644
--- a/files/README
+++ b/files/README
@@ -1 +1,4 @@
-Download GeoLite2 DB's from https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
+This directory should contain:
+
+ * GeoDNS config in yaml format
+ * mdsigner signing certificates (key_spec/cert_spec)
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml.example
similarity index 55%
rename from inventory/group_vars/all.yml
rename to inventory/group_vars/all.yml.example
index a82eac0b860a7f7fa508a48d51a0ee5f1abb0720..e55632c920e1d9ea8dcac523b1c208cee74bcee6 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml.example
@@ -2,37 +2,27 @@
tld: srv.mdx.incubator.geant.org
-hosts:
+proxies:
et2:
hostname: srv1
- altname: 'server-md2.et2.com'
-
- mdsigner:
- test:
- signer: hsm_signer
- metadir: metadata/test
+ alias: 'server-md2.et2.com'
mdproxy:
test:
signer: 'http://localhost:5001'
- altname: 'test-md.et2.com'
+ realm_alias: 'test-md.et2.com'
edugain:
signer: 'http://srv2-signer.srv.mdx.incubator.geant.org'
- altname: 'edugain-md.et2.com'
+ realm_alias: 'edugain-md.et2.com'
mdxcdn:
hostname: srv2
- altname: 'server-md2.et2.com'
-
- mdsigner:
- edugain:
- signer: hsm_signer
- metadir: metadata/edugain
+ alias: 'server-md2.et2.com'
mdproxy:
test:
signer: 'http://srv1-signer.srv.mdx.incubator.geant.org'
- altname: 'test-md.foobar.com'
+ realm_alias: 'test-md.foobar.com'
edugain:
signer: 'http://localhost:5001'
@@ -42,20 +32,15 @@ hosts:
mdproxy:
test:
signer: 'http://srv1-signer.srv.mdx.incubator.geant.org'
- altname: 'test-md.barfoo.com'
+ realm_alias: 'test-md.barfoo.com'
edugain:
signer: 'http://srv2-signer.srv.mdx.incubator.geant.org'
alternative-mdx:
hostname: srv4
- altname: 'server-md.example.com'
-
- mdsigner:
- foobar:
- signer: normal_signer
- metadir: metadata/test
+ alias: 'server-md.example.com'
mdproxy:
edugain:
signer: 'http://srv2-signer.srv.mdx.incubator.geant.org'
- altname: 'edugain-md.blabla.com'
+ realm_alias: 'edugain-md.blabla.com'
diff --git a/inventory/group_vars/geodns.yml.example b/inventory/group_vars/geodns.yml.example
new file mode 100644
index 0000000000000000000000000000000000000000..c3a30bbcd0d57d5b68c6bc900d7770dff2b0a652
--- /dev/null
+++ b/inventory/group_vars/geodns.yml.example
@@ -0,0 +1 @@
+geodns_licence: *************
diff --git a/inventory/group_vars/mdsigner.yml.example b/inventory/group_vars/mdsigner.yml.example
new file mode 100644
index 0000000000000000000000000000000000000000..874e5469ad14c08b40c3267c9146d8543689dc0a
--- /dev/null
+++ b/inventory/group_vars/mdsigner.yml.example
@@ -0,0 +1,32 @@
+---
+
+signers_tld: srv.mdx.incubator.geant.org
+
+signers:
+ et2:
+ hostname: srv1
+ alias: mdx.et2.hu
+ mdsigner:
+ test:
+ name: hsm_signer
+ key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
+
+ mdxcdn:
+ hostname: srv2
+ alias: mdx.cdn.nl
+ mdsigner:
+ edugain:
+ name: hsm_signer
+ key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
+
+ alternative-mdx:
+ hostname: srv3
+ alias: mdx.alternative.nl
+ mdsigner:
+ test:
+ name: normal_signer
+ key_spec: "test.key"
+ cert_spec: "test.crt"
+ foobar:
+ name: hsm_signer
+ key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
diff --git a/inventory/inventory b/inventory/inventory.example
similarity index 100%
rename from inventory/inventory
rename to inventory/inventory.example
diff --git a/roles/apache/templates/md.conf.j2 b/roles/apache/templates/md.conf.j2
index 59ca6d422f5f551f051227ec3d34ad82d3cf64de..452e998f930e070f35abdc79c494e2c63e2b64ca 100644
--- a/roles/apache/templates/md.conf.j2
+++ b/roles/apache/templates/md.conf.j2
@@ -1,31 +1,37 @@
-{% if hosts[inventory_hostname].get('mdsigner') %}
+{% if signers is defined and signers[inventory_hostname].get('mdsigner') %}
+# Signer configuration
<VirtualHost *:80>
- ServerName {{ hosts[inventory_hostname]['hostname'] }}-signer.{{ tld }}
-{% if hosts[inventory_hostname].get('altname') %}
- ServerAlias {{ hosts[inventory_hostname]['altname'] }}
+ ServerName {{ signers[inventory_hostname]['hostname'] }}-signer.{{ signers_tld }}
+{% if signers[inventory_hostname].get('alias') %}
+ ServerAlias {{ signers[inventory_hostname]['alias'] }}
{% endif %}
DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode
ProxyPass "/" "http://127.0.0.1:5001/" nocanon
ProxyPassReverse "/" "http://127.0.0.1:5001/"
</VirtualHost>
-{% endif %}
-{% if hosts[inventory_hostname].get('mdproxy') %}
+{% endif %}
+{% if proxies is defined and proxies[inventory_hostname].get('mdproxy') %}
+# Global proxy configuration
<VirtualHost *:80>
- ServerName {{ hosts[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
+ ServerName {{ proxies[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
+{% if proxies[inventory_hostname].get('alias') %}
+ ServerAlias {{ proxies[inventory_hostname]['alias'] }}
+{% endif %}
DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode
ProxyPass "/" "http://127.0.0.1:5002/" nocanon
ProxyPassReverse "/" "http://127.0.0.1:5002/"
</VirtualHost>
-{% set mdproxy = hosts[inventory_hostname]['mdproxy'] %}
+{% set mdproxy = proxies[inventory_hostname]['mdproxy'] %}
+# Realm specific proxy configuration
{% for realm, values in mdproxy.items() %}
<VirtualHost *:80>
ServerName proxy-{{ realm }}.{{ tld }}
-{% if values.get('altname') %}
- ServerAlias {{ values['altname'] }}
+{% if values.get('realm_alias') %}
+ ServerAlias {{ values['realm_alias'] }}
{% endif %}
DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode
@@ -34,3 +40,4 @@
</VirtualHost>
{% endfor %}
{% endif %}
+
diff --git a/roles/geodns/tasks/main.yml b/roles/geodns/tasks/main.yml
index a92b0590e5f711d89fb50c9a201632c2251f8bbc..1f26cc9b2aa5fe85e6f9678e90ae4f4e74664bce 100644
--- a/roles/geodns/tasks/main.yml
+++ b/roles/geodns/tasks/main.yml
@@ -4,6 +4,7 @@
state: present
name:
- netcat-openbsd
+ - ansible
- name: Check if go binary exists
stat:
diff --git a/roles/local/tasks/main.yml b/roles/local/tasks/main.yml
index 09096d6a4591b6a5eaabb944b822ab39b8dc7e02..928fc5362772738345de8157e25503052164b147 100644
--- a/roles/local/tasks/main.yml
+++ b/roles/local/tasks/main.yml
@@ -1,9 +1,4 @@
---
-- name: Install packages
- apt:
- state: present
- name:
- - ansible
- name: Clone MDX-SAAS-config repository
ansible.builtin.git:
diff --git a/roles/mdproxy/templates/mdproxy.yaml.j2 b/roles/mdproxy/templates/mdproxy.yaml.j2
index e17c6fe8b22644e21927407b4bc27720df6ddf10..d17d486393001171542f60d8eb7abcd0f799a104 100644
--- a/roles/mdproxy/templates/mdproxy.yaml.j2
+++ b/roles/mdproxy/templates/mdproxy.yaml.j2
@@ -1,2 +1,6 @@
---
-{{ hosts[inventory_hostname]['mdproxy'] | tojson }}
+{% set mdproxies = proxies[inventory_hostname]['mdproxy'] %}
+{% for realm, values in mdproxies.items() %}
+{{ realm }}:
+ signer: {{ values['signer'] }}
+{% endfor %}
diff --git a/roles/mdsigner/tasks/certificates.yml b/roles/mdsigner/tasks/certificates.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8e0c936aa74809ef995c39151b303de4ddd294cf
--- /dev/null
+++ b/roles/mdsigner/tasks/certificates.yml
@@ -0,0 +1,18 @@
+- name: check wheter we can copy certificates
+ ansible.builtin.stat:
+ path: "{{ playbook_dir }}/files/{{ item.value.key_spec }}"
+ delegate_to: localhost
+ become: no
+ register: key_spec
+
+- name: Copy certificates when key_spec exists
+ block:
+ - name: Copy Key spec
+ ansible.builtin.copy:
+ src: "{{ item.value.key_spec }}"
+ dest: "{{ altmdx_dir }}/{{ item.value.key_spec }}"
+ - name: Copy Cert spec
+ ansible.builtin.copy:
+ src: "{{ item.value.cert_spec }}"
+ dest: "{{ altmdx_dir }}/{{ item.value.cert_spec }}"
+ when: key_spec.stat.exists
diff --git a/roles/mdsigner/tasks/main.yml b/roles/mdsigner/tasks/main.yml
index d3dd9a3b89d8ce8307b4487c870accf6c78206a0..60a434dbffaa7594cc232f0a67bb1d1e4f33dc10 100644
--- a/roles/mdsigner/tasks/main.yml
+++ b/roles/mdsigner/tasks/main.yml
@@ -22,22 +22,11 @@
path: "{{ altmdx_metadir }}/{{ item.key }}"
state: directory
mode: '0755'
- with_dict: "{{ hosts[inventory_hostname]['mdsigner'] }}"
+ with_dict: "{{ signers[inventory_hostname]['mdsigner'] }}"
-- name: Check existence of metadata signing cert
- stat:
- path: "{{ altmdx_metadir }}/meta.crt"
- register: mdcert
-
-- name: create self-signed Metadata Signing SSL certs
- shell: >
- openssl genrsa -out "{{ altmdx_dir }}/meta.key" 2048;
- openssl req -new -nodes -x509 -subj "/C=NL/CN=metadata"
- -days 3650 -key "{{ altmdx_dir }}/meta.key"
- -out "{{ altmdx_dir }}/meta.crt" -extensions v3_ca
- args:
- creates: "{{ altmdx_dir }}/meta.crt"
- when: not mdcert.stat.exists
+- name: Copy certificates
+ include_tasks: certificates.yml
+ loop: "{{ signers[inventory_hostname]['mdsigner'] | dict2items }}"
- name: Copy mdsigner service files
ansible.builtin.template:
diff --git a/roles/mdsigner/templates/mdsigner.yaml.j2 b/roles/mdsigner/templates/mdsigner.yaml.j2
index c2259f34a09d41e7559d17a31e31bb1db72732d9..769e307c18aa8f3b112db5190dfde1ed8e99862a 100644
--- a/roles/mdsigner/templates/mdsigner.yaml.j2
+++ b/roles/mdsigner/templates/mdsigner.yaml.j2
@@ -1,2 +1,10 @@
---
-{{ hosts[inventory_hostname]['mdsigner'] | to_yaml }}
+{% set mdsigners = signers[inventory_hostname]['mdsigner'] %}
+{% for realm, values in mdsigners.items() %}
+{{ realm }}:
+ signer:
+ name: {{ values['name'] }}
+ key_spec: {{ values.key_spec }}
+ cert_spec: {{ values.get('cert_spec') }}
+ metadir: metadata/{{ realm }}
+{% endfor %}