--- - name: prepare storage volume vars: storage_volume: "{{ whawty_auth_instances[whawty_auth_instance].storage }}" include_role: name: "storage/{{ whawty_auth_instances[whawty_auth_instance].storage.type }}/volume" - set_fact: whawty_auth_instance_basepath: "{{ storage_volume_mountpoint }}" - name: create instance config directory file: path: "{{ whawty_auth_instance_basepath }}/config" state: directory - name: create instance store directory file: path: "{{ whawty_auth_instance_basepath }}/store" state: directory owner: app mode: 0700 - name: generate store config template: src: store.yml.j2 dest: "{{ whawty_auth_instance_basepath }}/config/store.yml" mode: 0400 owner: app - name: create instance tls directory file: path: "{{ whawty_auth_instance_basepath }}/tls" state: directory owner: app mode: 0500 - name: generate/install TLS certificates for publishment vars: x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}_publish" x509_certificate_hostnames: [] x509_certificate_config: ca: "{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_ca_config }}" cert: common_name: "whawty-auth-{{ whawty_auth_instance }}.{{ inventory_hostname }}" extended_key_usage: - serverAuth extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +100w x509_certificate_renewal: install: - dest: "{{ whawty_auth_instance_basepath }}/tls/publish-crt.pem" src: - fullchain owner: app mode: "0444" - dest: "{{ whawty_auth_instance_basepath }}/tls/publish-key.pem" src: - key owner: app mode: "0400" include_role: name: "x509/{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_provider }}/cert" - name: generate/install TLS certificates for ldap when: - "'ldap' in whawty_auth_instances[whawty_auth_instance]" - "'tls' in whawty_auth_instances[whawty_auth_instance].ldap" vars: x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}_ldap" x509_certificate_hostnames: "{{ whawty_auth_instances[whawty_auth_instance].ldap.hostnames }}" x509_certificate_config: "{{ whawty_auth_instances[whawty_auth_instance].ldap.tls.certificate_config }}" x509_certificate_renewal: install: - dest: "{{ whawty_auth_instance_basepath }}/tls/ldap-crt.pem" src: - fullchain owner: app mode: "0444" - dest: "{{ whawty_auth_instance_basepath }}/tls/ldap-key.pem" src: - key owner: app mode: "0400" include_role: name: "x509/{{ whawty_auth_instances[whawty_auth_instance].ldap.tls.certificate_provider }}/cert" - name: generate app listener config template: src: listener.yml.j2 dest: "{{ whawty_auth_instance_basepath }}/config/listener.yml" mode: 0400 owner: app - name: set up sync config when: "'sync' in whawty_auth_instances[whawty_auth_instance]" block: - name: create sync directory file: path: "{{ whawty_auth_instance_basepath }}/sync" state: directory - name: generate sync config files loop: - group - passwd - rsyncd.conf - sshd_config template: src: "sync-{{ item }}.j2" dest: "{{ whawty_auth_instance_basepath }}/sync/{{ item }}" - name: generate authorized_keys for sync copy: content: "{{ whawty_auth_instances[whawty_auth_instance].sync.authorized_keys | join('\n') }}\n" dest: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys" - name: generate ssh host key for sync command: "ssh-keygen -q -t ed25519 -f '{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key' -C '' -N ''" args: creates: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key" - name: fix permissions for ssh host keys file: path: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key" owner: app - name: install pod manifest vars: whawty_auth_instance_config_hash_items__yaml: | - path: "{{ whawty_auth_instance_basepath }}/config/store.yml" - path: "{{ whawty_auth_instance_basepath }}/config/listener.yml" {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %} - path: "{{ whawty_auth_instance_basepath }}/sync/group" - path: "{{ whawty_auth_instance_basepath }}/sync/passwd" - path: "{{ whawty_auth_instance_basepath }}/sync/rsyncd.conf" - path: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key" - path: "{{ whawty_auth_instance_basepath }}/sync/sshd_config" {% endif %} kubernetes_standalone_pod: name: "whawty-auth-{{ whawty_auth_instance }}" spec: "{{ lookup('template', 'pod-spec.yml.j2') }}" config_hash_items: "{{ whawty_auth_instance_config_hash_items__yaml | from_yaml }}" include_role: name: kubernetes/standalone/pod - name: configure nginx vhost for publishment vars: nginx_vhost__yaml: | name: "whawty-auth-{{ whawty_auth_instance }}.{{ inventory_hostname }}" template: generic {% if 'tls' in whawty_auth_instances[whawty_auth_instance].publish %} tls: {{ whawty_auth_instances[whawty_auth_instance].publish.tls | to_nice_yaml(indent=2) | indent(2) }} {% endif %} hostnames: {% for hostname in whawty_auth_instances[whawty_auth_instance].publish.hostnames %} - {{ hostname }} {% endfor %} locations: '/': {% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %} proxy_pass: "https://127.0.0.1:{{ whawty_auth_instances[whawty_auth_instance].port }}" {% else %} proxy_pass: "https://{{ ansible_default_ipv4.address }}:{{ whawty_auth_instances[whawty_auth_instance].port }}" {% endif %} proxy_ssl: trusted_certificate: "/etc/ssl/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}-ca-crt.pem" verify: "on" name: "whawty-auth-{{ whawty_auth_instance }}.{{ inventory_hostname }}" protocols: "TLSv1.3" nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}" include_role: name: nginx/vhost apply: delegate_to: "{{ whawty_auth_instances[whawty_auth_instance].publish.zone.publisher }}"