-
Notifications
You must be signed in to change notification settings - Fork 9
/
playbook.yml
143 lines (118 loc) · 5.36 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# https://wiki.shibboleth.net/confluence/display/IDP30/Installation
# ansible-playbook playbook.yml -i hosts -v
# or if you want to run specifieds roles:
# ansible-playbook playbook.yml -i hosts -v --tag common
# inspired by: https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-fedops/HOWTO-Shibboleth/Identity%20Provider/Ubuntu/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20IdP%20v3.2.1%20on%20Ubuntu%20Linux%20LTS%2016.04%20with%20Apache2%20%2B%20Jetty9.md
---
- name: Install Shibboleth IDP and SP
hosts: all
become: yes
# vars_files:
# - server_ip.yml
vars:
org: testunical
domain3: aai-test
domain2: testunical
domain1: it
#domain: "{{ domain3 }}.{{ domain2 }}.{{ domain1 }}"
domain: "{{ domain2 }}.{{ domain1 }}"
server_admin: "tech@{{ domain }}"
# If True it will uninstall and purge existing applications and configurations
# DO NOT USE THIS IN PRODUCTION ENVIRONMENT, it will destroy everything!
purge: true
# if idp and sp have the same ip: apache's <VirtualHost ip:port> must be configured as <VirtualHost *:port>
# otherwise exception "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:661)" will be raised
# otherwise exception SSL_ERROR_RX_RECORD_TOO_LONG will be raised or other, exception message depends by the client.
# modify this in server_ip.yml
# this help up to a test deploy without any FQDN involved
# ldap_ip: "10.87.7.104"
# idp_ip: "10.87.7.235"
# sp_ip: "{{ idp_ip }}"
# Commons
src_cert_path: certs/
cert_path: "/etc/ssl/certs/{{ domain }}"
tmp_upload_dir: "/tmp/ansible-shibboleth-idp-sp-setup"
# LDAP configuration
ldap_fqdn: "ldap.ha.{{ domain }}"
ldap_url: "ldaps://{{ ldap_fqdn }}"
# ldap_basedc: "dc={{ domain3 }},dc={{ domain2 }},dc={{ domain1 }}"
ldap_basedc: "dc={{ domain2 }},dc={{ domain1 }}"
ldap_binddn: "uid=idpuser,ou=idp,{{ ldap_basedc }}"
ldap_pw: idpsecret
ldap_basedn: "ou=people,{{ ldap_basedc }}"
ldap_cert: slapd-cert.pem
# choose between: starttls, tls, plain
ldap_auth: tls
# webserver configuration, choose between apache and nginx
httpd: apache
# nginx
nginx_src_dir: /opt
nginx_version: nginx-1.14.2
nginx_dl_url: http://nginx.org/download/{{ nginx_version }}.tar.gz
# which java version to use (optional: openjdk-8-jre)
java_jdk: amazon
#java_jdk: openjdk-8-jre
java_amazon_package: amazon-corretto-11-x64-linux-jdk.deb
java_amazon_dl: "https://corretto.aws/downloads/latest/{{ java_amazon_package }}"
# Servlet configuration, choose your preferred between tomcat and jetty
servlet_container: jetty
servlet_ram: 2048m
servlet_port: 8080
servlet_host: 127.0.0.1
# Jetty configuration
jetty_version: 9.4.30.v20200611
jetty_distribution: "jetty-distribution-{{ jetty_version }}"
jetty_pkg: "{{ jetty_distribution }}.tar.gz"
jetty_dl_path: /opt
jetty_dl_url: "https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/{{ jetty_version }}/{{ jetty_pkg }}"
jetty_path : "{{ jetty_dl_path }}/jetty"
# Tomcat configuration
tomcat_version: tomcat8
# TODO: tomcat_common
# tomcat_admin_pw: tomcatsecret
# tomcat_manager_pw: tomcatsecret
# Shibboleth IDP
shib_idp_version: "4.0.1"
shib_idp_package: "shibboleth-identity-provider-{{ shib_idp_version }}.tar.gz"
shib_dest_dir: "/opt"
idp_path: "{{ shib_dest_dir }}/shibboleth-idp"
shib_setup_folder: "{{ shib_dest_dir }}/shibboleth-identity-provider-{{ shib_idp_version }}"
idp_dl_url: "https://shibboleth.net/downloads/identity-provider/{{ shib_idp_version }}/{{ shib_idp_package }}"
idp_web_folder: /idp/shibboleth
idp_fqdn: "idp.{{ domain }}"
idp_entity_id: "https://{{ idp_fqdn }}{{ idp_web_folder }}"
idp_secret: idpsecret
idp_admin_email: "root@{{ idp_fqdn }}"
idp_localized_message_url: "https://wiki.shibboleth.net/confluence/download/attachments/21660022/messages_it.properties?version=2&modificationDate=1541061867323&api=v2"
idp_attr_resolver: attribute-resolver-v4-idem-custom.xml
idp_attr_filter: attribute-filter-v4-idem.xml
idp_attr_reg_shac_url: https://registry.idem.garr.it/idem-conf/shibboleth/IDP4/attributes/schac.xml
idp_attr_reg_ep_tid_url: https://registry.idem.garr.it/idem-conf/shibboleth/IDP4/attributes/custom/eduPersonTargetedID.properties
idp_disable_saml1: true
# persistent id on rdbms, it will install mariadb
# NOT tested with ShibIdP 4 - configuration may lacks of compatibility (TODO)
idp_persistent_id_rdbms: false
# Shibboleth IDP RDBMS per persistentID
idp_rdbms_dbname: shibboleth
idp_rdbms_user: "{{ idp_rdbms_dbname }}"
idp_rdbms_pw: "{{ idp_secret }}"
# Shibboleth SP
sp_fqdn: "sp.{{ domain }}"
# enable edugain attr filter and md providers
edugain_federation: false
roles:
# apt dependencies and certificates
- { role: uninstall, tags: ["uninstall"] }
- { role: common, tags: ["common"] }
# idp
- { role: shib4idp_install, tags: ["idp_install"] }
- { role: shib4idp_configure, tags: ["idp_configure"] }
# sp
- { role: shib3sp, tags: ["sp"] }
# httpd
- { role: httpd, tags: ["httpd"] }
# only sp
#- { role: apache2_common, tags: ["httpd_sp"] }
#- { role: apache2_shib_sp, tags: ["httpd_sp"] }
# federation
- { role: sp_federation, tags: ["sp_fed"] }