gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

DEV-1213 Add external (sub)domain oes.netgo.de

Browse Source
main
Michael Hähnel 2 years ago committed by Ketelsen, Sven
parent 42bfe6f408
commit 7b67ee1a0d
25 changed files with 154 additions and 579 deletions
Show Stats Download Patch File Download Diff File

1
create-service.yml
Unescape Escape View File

@ -53,6 +53,7 @@
remote_user: root remote_user: root
vars: vars:
ansible_ssh_host: "{{ stage_server_domain }}" ansible_ssh_host: "{{ stage_server_domain }}"
connect_version: "{{ connect_image_version }}" # backwards compatibility
pre_tasks: pre_tasks:
- name: "Import autodiscover pre-tasks" - name: "Import autodiscover pre-tasks"

18
group_vars/all/connect.yml
Unescape Escape View File

@ -25,3 +25,21 @@ smardigo_default_theme: "/themes/netgo.json"
connect_wordpress_buergerportal_username: "buergerportal" connect_wordpress_buergerportal_username: "buergerportal"
# initial credentials, keycloak forces password update on first login # initial credentials, keycloak forces password update on first login
connect_wordpress_buergerportal_password: "Buerger?P0rtal." connect_wordpress_buergerportal_password: "Buerger?P0rtal."
# digital ocean dns service (-> dns-challenge)
connect_customer_urls_digitalocean: []
# hetzner dns service (-> dns-challenge)
connect_customer_urls_hetzner: []
# dns is managed by external provider (-> http-challenge)
connect_customer_urls_extern: []
# configure reverse proxy for each url
# keycloak redirect/origins for each url
connect_customer_urls: "{{
connect_customer_urls_digitalocean
+ connect_customer_urls_hetzner
+ connect_customer_urls_extern }}"
# allow customer specific access from ips in cidr notation (e.g. 1.2.3.4/32)
# use 0.0.0.0/0 for public access
connect_customer_networks: []

9
group_vars/all/prometheus.yml
Unescape Escape View File

@ -6,9 +6,12 @@ node_exporter_listen_address: "{{ stage_private_server_ip }}"
blackbox_exporter_fqdn: "dev-blackbox-01.{{ domain }}" blackbox_exporter_fqdn: "dev-blackbox-01.{{ domain }}"
blackbox_http_2xx_targets: blackbox_http_2xx_targets:
- "https://{{ stage }}-keycloak-01.smardigo.digital/auth/" - "{{ shared_service_kube_url_awx }}"
- "https://{{ stage_kube }}-awx.smardigo.digital" - "{{ shared_service_url_gitea }}"
# - 'https://{{ stage }}-management-01-connect.smardigo.digital/' - "{{ shared_service_url_harbor }}"
- "{{ shared_service_url_keycloak }}/auth/"
- "{{ shared_service_url_kibana }}"
- "{{ shared_service_url_management }}"
blackbox_http_2xx_additional_targets: [] blackbox_http_2xx_additional_targets: []

15
host_vars/devnso-mhel-test01/plain.yml
Unescape Escape View File

@ -1,15 +0,0 @@
---
server_hcloud_firewall_objects:
- name: "customer-access-to-{{ inventory_hostname }}"
state: present
rules:
- direction: in
protocol: tcp
port: "443"
source_ips: "{{ additional_ip_adresses_vault }}"
destination_ips: []
description: customer specific access to https services
apply_to:
- type: server
server:
id: "{{ stage_server_id }}"

8
host_vars/devnso-mhel-test01/vault.yml
Unescape Escape View File

@ -1,8 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
31396666646138353139636535636563613531356430336362386265636465656638656661613135
6331373138383964363266383331633532383537613837310a366531363137656566306565346263
32653430646463356464653939363431363666373637633332323430303934316439326234663532
6661373662663836660a663138613564623237666434353561366366353936363063313831333165
64333464333061336337393762343362373362353462346236323965653666343264343438306132
32653561656337636365663531333066666663623738643463653865663961303239376262306362
373762363465613031666565383535313033

6
host_vars/prodnso-nsointern-nsoprod-01.yml
Unescape Escape View File

@ -0,0 +1,6 @@
---
connect_customer_urls_extern:
- oes.netgo.de
connect_customer_networks:
- 0.0.0.0/0

15
host_vars/prodnso-nsointern-nsoprod-01/plain.yml
Unescape Escape View File

@ -1,15 +0,0 @@
---
server_hcloud_firewall_objects:
- name: "customer-access-to-{{ inventory_hostname }}"
state: present
rules:
- direction: in
protocol: tcp
port: "443"
source_ips: "{{ additional_ip_adresses_vault }}"
destination_ips: []
description: customer specific access to https services
apply_to:
- type: server
server:
id: "{{ stage_server_id }}"

8
host_vars/prodnso-nsointern-nsoprod-01/vault.yml
Unescape Escape View File

@ -1,8 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
31396666646138353139636535636563613531356430336362386265636465656638656661613135
6331373138383964363266383331633532383537613837310a366531363137656566306565346263
32653430646463356464653939363431363666373637633332323430303934316439326234663532
6661373662663836660a663138613564623237666434353561366366353936363063313831333165
64333464333061336337393762343362373362353462346236323965653666343264343438306132
32653561656337636365663531333066666663623738643463653865663961303239376262306362
373762363465613031666565383535313033

31
host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml
Unescape Escape View File

@ -1,5 +1,4 @@
--- ---
dns: hetzner dns: hetzner
domain: "kfzbrief-bautzen.de" domain: "kfzbrief-bautzen.de"
domain_env: "smardigo.digital" domain_env: "smardigo.digital"
@ -20,31 +19,7 @@ connect_mail_properties_smtp_auth: true
connect_mail_properties_smtp_starttls_enable: true connect_mail_properties_smtp_starttls_enable: true
connect_mail_properties_smtp_starttls_required: true connect_mail_properties_smtp_starttls_required: true
# smardigo.fzbrief-bautzen.de connect_customer_urls_hetzner:
connect_external_subdomain: "smardigo" - smardigo.kfzbrief-bautzen.de
connect_labels_additional: [
'"traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern"',
'"traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)"',
'"traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure"',
'"traefik.http.routers.{{ connect_id }}-extern.tls=true"',
'"traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt"',
'"traefik.http.services.{{ connect_id }}-extern.loadbalancer.server.port={{ service_port }}"',
]
server_hcloud_firewall_objects: connect_customer_networks: "{{ connect_customer_networks_vault }}"
-
name: "customer-access-to-{{ inventory_hostname }}"
state: present
rules:
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ additional_ip_adresses_vault }}"
destination_ips: []
description: customer specific access to https services
apply_to:
-
type: server
server:
id: '{{ stage_server_id }}'

32
host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml
Unescape Escape View File

@ -1,17 +1,17 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
33623661396231316264336334366662616361383165643162333435636164376537633634353831 39633034643831306530346439333466323839303039373564643166373063326634653738393066
6330346162656138303539323433353034376635363731640a666263336165643661633039343131 6632613237323364323265333866393533353830376261380a346564613639383931356238346336
32376432373666363639336465363835636139663963666433623266663965623063636236393135 37363032316138393136626137346633353963643933373933653432353330333832346362376238
6163313838323639300a643236656466613463633332383033376466373362306239333034343633 3538356439303732330a316364613762396330373166323830363439353464396233346665646135
31386235326366306238373664633338303233336134333537373930663333383536343465373161 38343139636265343338383265316564663131613463356139333063663931316137373335666562
38336666343765356463383934373939306338376465623266323735643535363339383733396364 31303061303732343662316564383662396265363439626336383666376564326461303935343230
66373937663432663765326437376465326566303863333033643833663734613061333066663134 32643138316461373963623437346232386237356239313566326262313062376663633161613031
30306563376536646538616361653630646463316334373634336435613537663238666235323766 61666161623930666638656337623937353766393866303830353536306466376466356636663663
33333538326639353366363736393735306238383466653834636531623233613639393732613466 31653937386336616661616631653234326138316239623835333238393034356232613963663363
39333266396531326166346566353533613536646637613131663462663934623363663363653163 32316631353061666162643832613263373537323937626361373335353864306663343332663238
61336139653036373566616335396565353537366263396236306261363439623236316430633532 35393732386135343165656366356366646663623762313538636432306266646531326536666234
37663137313437326534646230613561343435343266666665383561666365323863316464393839 34303038323830623964653461653133366235643962346465643634386433653661653230353138
34303665623265383064313965643630613938656538363162656139613365616633346666353761 39633537316664613164666533303263393430636465303239353935646462626166353965376462
63363864666163633661616664623937616366383138333763636135356334346337323132656538 34356235343462616266383966613137656462393262306166646337373161323863376566653063
36316565383935363136666437393133393063636230366237303030386665373133306665623933 62336531313031346436313131363361323134323964643838336338343363313330386533313865
62326562333931373764 66333164303634363132

BIN
library/__pycache__/smardigo_user_token.cpython-311.pyc
View File

Binary file not shown.

21
roles/connect/defaults/main.yml
Unescape Escape View File

@ -16,3 +16,24 @@ connect_resubmission_enabled: false
connect_search_elastic_enabled: false connect_search_elastic_enabled: false
connect_swagger_enabled: true connect_swagger_enabled: true
connect_workflow_heatmap_enabled: false connect_workflow_heatmap_enabled: false
firewall_rule_connect_customer:
- direction: in
protocol: tcp
port: "443"
source_ips: "{{ connect_customer_networks }}"
destination_ips: []
description: customer specific access to https services
firewall_rule_lets_encrypt_http_challenge:
- direction: in
protocol: tcp
port: "80"
source_ips:
- "0.0.0.0/0"
destination_ips: []
description: lets encrypt http challenge due to external managed dns entries
connect_customer_firewall_entry_rules: "{{
(firewall_rule_connect_customer if (connect_customer_networks | length > 0) else [])
+ (firewall_rule_lets_encrypt_http_challenge if (connect_customer_urls_extern | length > 0) else [])
}}"

99
roles/connect/tasks/main.yml
Unescape Escape View File

@ -1,12 +1,11 @@
--- ---
### tags: ### tags:
### update_certs ### update_certs
### update_deployment ### update_deployment
- name: "Creating smardigo user token" - name: "Creating smardigo user token"
smardigo_user_token: smardigo_user_token:
secret: "{{ connect_jwt_secret }}" secret: "{{ connect_jwt_secret }}"
user_id: "{{ connect_client_admin_username }}" user_id: "{{ connect_client_admin_username }}"
register: smardigo_user_token_result register: smardigo_user_token_result
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
@ -16,7 +15,7 @@
- name: "Creating iam user token" - name: "Creating iam user token"
smardigo_user_token: smardigo_user_token:
secret: "{{ iam_jwt_secret }}" secret: "{{ iam_jwt_secret }}"
user_id: "{{ connect_client_admin_username }}" user_id: "{{ connect_client_admin_username }}"
realm: "{{ current_realm_name }}" realm: "{{ current_realm_name }}"
client_id: "{{ connect_oidc_client_id }}" client_id: "{{ connect_oidc_client_id }}"
@ -27,48 +26,104 @@
- update_deployment - update_deployment
- name: "Setting smardigo_auth_token_value and iam_auth_token_value as fact" - name: "Setting smardigo_auth_token_value and iam_auth_token_value as fact"
set_fact: ansible.builtin.set_fact:
smardigo_auth_token_value: "{{ smardigo_user_token_result.token }}" smardigo_auth_token_value: "{{ smardigo_user_token_result.token }}"
iam_auth_token_value: "{{ iam_user_token_result.token }}" iam_auth_token_value: "{{ iam_user_token_result.token }}"
tags: tags:
- update_deployment - update_deployment
- name: "Setup hcloud firewalls for <{{ inventory_hostname }}>" # Generate Traefik labels for customer specific domains
include_role: - name: "Configure Traefik for customer domains"
name: hetzner-ansible-hcloud
tasks_from: configure-firewall2
loop: "{{ server_hcloud_firewall_objects }}"
loop_control:
loop_var: firewall_object
when: when:
- server_hcloud_firewall_objects is defined - connect_customer_urls | length > 0
tags:
- update_deployment
block:
- name: "Create additional Traefik labels for customer url"
ansible.builtin.set_fact:
connect_labels_customer_urls:
- '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.service={{ connect_id }}"'
- '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.rule=Host(`{{ customer_url }}`)"'
- '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.entrypoints=websecure"'
- '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.tls=true"'
- '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.tls.certresolver={{ "letsencrypt-http" if (customer_url in connect_customer_urls_extern) else "letsencrypt" }}"'
loop: "{{ connect_customer_urls }}"
register: connect_labels_customer_urls_result
loop_control:
loop_var: customer_url
tags:
- update_deployment
- name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>" - name: "Extract Traefik labels for customer urls"
ansible.builtin.set_fact:
connect_labels_additional: "{{ connect_labels_additional | default([]) + connect_labels_customer_url.ansible_facts.connect_labels_customer_urls }}"
loop: "{{ connect_labels_customer_urls_result.results }}"
loop_control:
loop_var: connect_labels_customer_url
tags:
- update_deployment
- name: "Setup customer specific firewall rules for <{{ inventory_hostname }}>"
block:
- name: "Configure customer specific firewall rules for <{{ inventory_hostname }}>"
ansible.builtin.set_fact:
connect_customer_firewall_entries:
- name: "customer-access-to-{{ inventory_hostname }}"
state: present
rules: "{{ connect_customer_firewall_entry_rules }}"
apply_to:
- type: server
server:
id: "{{ stage_server_id }}"
- name: "Setup customer specific firewall rules for <{{ inventory_hostname }}>"
ansible.builtin.include_role:
name: hetzner-ansible-hcloud
tasks_from: configure-firewall2
loop: "{{ connect_customer_firewall_entries }}"
loop_control:
loop_var: firewall_object
- name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>"
include_role: include_role:
name: hetzner-ansible-dns name: hetzner-ansible-dns
vars: vars:
record_data: "{{ stage_server_ip }}" record_data: "{{ stage_server_ip }}"
record_name: "{{ connect_external_subdomain }}" record_name: "{{ connect_id }}"
- name: "Setup DNS configuration at DigitalOcean"
ansible.builtin.include_role:
name: hetzner-ansible-dns
vars:
dns: digitalocean
record_data: "{{ stage_server_ip }}"
record_name: "{{ item.split('.')[:-2] | join('.') }}"
domain: "{{ item.split('.')[-2:] | join('.') }}"
when: when:
- connect_external_subdomain is defined - connect_customer_urls_digitalocean | length > 0
loop: "{{ connect_customer_urls_digitalocean }}"
- name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>" - name: "Setup DNS configuration at Hetzner"
include_role: ansible.builtin.include_role:
name: hetzner-ansible-dns name: hetzner-ansible-dns
vars: vars:
dns: hetzner
record_data: "{{ stage_server_ip }}" record_data: "{{ stage_server_ip }}"
record_name: "{{ connect_id }}" record_name: "{{ item.split('.')[:-2] | join('.') }}"
domain: "{{ item.split('.')[-2:] | join('.') }}"
when:
- connect_customer_urls_hetzner | length > 0
loop: "{{ connect_customer_urls_hetzner }}"
- name: "Check if {{ connect_id }}/docker-compose.yml exists" - name: "Check if {{ connect_id }}/docker-compose.yml exists"
stat: stat:
path: '{{ service_base_path }}/{{ connect_id }}/docker-compose.yml' path: "{{ service_base_path }}/{{ connect_id }}/docker-compose.yml"
register: check_docker_compose_file register: check_docker_compose_file
tags: tags:
- update_deployment - update_deployment
- name: "Stop {{ connect_id }}" - name: "Stop {{ connect_id }}"
community.docker.docker_compose: community.docker.docker_compose:
project_src: '{{ service_base_path }}/{{ connect_id }}' project_src: "{{ service_base_path }}/{{ connect_id }}"
state: absent state: absent
when: check_docker_compose_file.stat.exists when: check_docker_compose_file.stat.exists
tags: tags:
@ -117,7 +172,7 @@
- name: "Restart {{ connect_id }}" - name: "Restart {{ connect_id }}"
community.docker.docker_compose: community.docker.docker_compose:
project_src: '{{ service_base_path }}/{{ connect_id }}' project_src: "{{ service_base_path }}/{{ connect_id }}"
restarted: yes restarted: yes
build: no build: no
tags: tags:
@ -126,7 +181,7 @@
- name: "Update {{ connect_id }}" - name: "Update {{ connect_id }}"
community.docker.docker_compose: community.docker.docker_compose:
project_src: '{{ service_base_path }}/{{ connect_id }}' project_src: "{{ service_base_path }}/{{ connect_id }}"
state: present state: present
pull: yes pull: yes
tags: tags:

1
roles/connect/vars/main.yml
Unescape Escape View File

@ -1,5 +1,4 @@
--- ---
connect_process_search_module: "{{ connect_search_elastic_enabled | ternary((connect_version is version('11.1', '>=') | ternary('external_v2', 'external')), 'embedded') }}" connect_process_search_module: "{{ connect_search_elastic_enabled | ternary((connect_version is version('11.1', '>=') | ternary('external_v2', 'external')), 'embedded') }}"
connect_spring_profiles_include: connect_spring_profiles_include:

58
roles/connect_compact/defaults/main.yml
Unescape Escape View File

@ -1,58 +0,0 @@
---
connect_id: "{{ inventory_hostname }}-connect"
connect_admin_username: "connect-admin"
connect_admin_password: "{{ connect_admin_password_vault }}"
connect_postgres_username: "connect-postgres-username"
connect_postgres_password: "{{ connect_postgres_password_vault }}"
connect_image_name: "{{ shared_service_hostname_harbor }}/smardigo/connect-whitelabel-app"
iam_image_name: "{{ shared_service_hostname_harbor }}/smardigo/iam-app"
elasticsearch_username: "elastic"
elasticsearch_password: "{{ elasticsearch_password_vault }}"
keycloak_id: "{{ inventory_hostname }}-keycloak"
keycloak_admin_username: "keycloak-admin"
keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
keycloak_postgres_username: "keycloak_postgres"
keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}"
keycloak_image_name: "{{ shared_service_hostname_harbor }}/smardigo/keycloak"
kibana_id: "{{ inventory_hostname }}-kibana"
shared_service_mail_hostname: "not_available"
current_realm_name: connect
connect_client_id: "{{ connect_id }}"
current_realm_clients: [
{
name: '{{ connect_client_id }}',
clientId: "{{ connect_client_id }}",
admin_url: '',
root_url: '',
redirect_uris: [
"{{ http_s }}://{{ connect_base_url }}/*",
"{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}/*",
],
secret: '{{ connect_client_id }}',
web_origins: [
"{{ http_s }}://{{ connect_base_url }}",
"{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}",
]
},{
name: 'mpm',
clientId: "mpm",
admin_url: '',
root_url: '',
redirect_uris: [
"{{ http_s }}://{{ connect_base_url }}/*",
],
secret: '9d9ca019-8245-4b72-b8eb-8020535eba8e',
web_origins: [
"{{ http_s }}://{{ connect_base_url }}",
]
},
]
connect_compact_tls_cert_resolver: letsencrypt-http

61
roles/connect_compact/tasks/main.yml
Unescape Escape View File

@ -1,61 +0,0 @@
---
- name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>"
include_role:
name: hetzner-ansible-dns
vars:
record_data: "{{ stage_server_ip }}"
record_name: "{{ connect_id }}"
- name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>"
include_role:
name: hetzner-ansible-dns
vars:
record_data: "{{ stage_server_ip }}"
record_name: "{{ connect_external_subdomain }}"
when: connect_external_subdomain is defined
- name: "Setup DNS configuration for <{{ kibana_id }}> to <{{ stage_server_ip }}>"
include_role:
name: hetzner-ansible-dns
vars:
record_data: "{{ stage_server_ip }}"
record_name: "{{ kibana_id }}"
- name: "Setup realm for {{ connect_id }}"
include_role:
name: keycloak
tasks_from: _configure_realm
apply:
tags:
- configure_realm
tags:
- configure_realm
- name: "Check if {{ connect_id }}/docker-compose.yml exists"
stat:
path: '{{ service_base_path }}/{{ connect_id }}/docker-compose.yml'
register: check_docker_compose_file_connect
- name: "Deploy docker templates for {{ connect_id }}"
include_role:
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "connect-compact"
current_base_path: "{{ service_base_path }}"
current_destination: "{{ connect_id }}"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
- name: "Stop {{ connect_id }}"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/{{ connect_id }}'
state: absent
when: check_docker_compose_file_connect.stat.exists
- name: "Restart {{ connect_id }}"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/{{ connect_id }}'
state: present
pull: no

10
roles/connect_realm/defaults/main.yml
Unescape Escape View File

@ -3,7 +3,7 @@ connect_client_secret: "{{ connect_client_id }}"
client_web_origin_connect: "{{ http_s }}://{{ connect_base_url }}" client_web_origin_connect: "{{ http_s }}://{{ connect_base_url }}"
client_web_origin_wordpress: "{{ http_s }}://{{ wordpress_base_url }}" client_web_origin_wordpress: "{{ http_s }}://{{ wordpress_base_url }}"
client_web_origin_connect_external: "{{ http_s }}://{{ connect_external_subdomain | default('unset') }}.{{ domain }}" client_web_origin_connect_external: "{{ connect_customer_urls | map('regex_replace', '(.+)', http_s + '://\\1') | list }}"
current_realm_clients: current_realm_clients:
- name: "{{ connect_client_id }}" - name: "{{ connect_client_id }}"
@ -13,14 +13,14 @@ current_realm_clients:
redirect_uris: "{{ redirect_uris: "{{
[client_web_origin_connect + '/*'] + [client_web_origin_connect + '/*'] +
([client_web_origin_wordpress + '/*'] if 'connect_wordpress' in groups else []) + ([client_web_origin_wordpress + '/*'] if 'connect_wordpress' in groups else []) +
([client_web_origin_connect_external + '/*'] if connect_external_subdomain is defined else []) (client_web_origin_connect_external | default([]) | map('regex_replace', '(.+)', '\\1/*') | list)
}}" }}"
secret: "{{ connect_oidc_client_secret }}" secret: "{{ connect_oidc_client_secret }}"
web_origins: "{{ web_origins: "{{
[client_web_origin_connect] + [client_web_origin_connect] +
([client_web_origin_wordpress] if 'connect_wordpress' in groups else []) + ([client_web_origin_wordpress] if 'connect_wordpress' in groups else []) +
([client_web_origin_connect_external] if connect_external_subdomain is defined else []) (client_web_origin_connect_external | default([]))
}}" }}"
current_realm_users_base: current_realm_users_base:
- username: "{{ connect_client_admin_username }}" - username: "{{ connect_client_admin_username }}"

12
roles/keycloak_compact/defaults/main.yml
Unescape Escape View File

@ -1,12 +0,0 @@
---
keycloak_id: "{{ inventory_hostname }}-keycloak"
keycloak_admin_username: "keycloak-admin"
keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
keycloak_postgres_username: "keycloak_postgres"
keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}"
keycloak_image_name: "{{ shared_service_hostname_harbor }}/smardigo/keycloak"
keycloak_compact_tls_cert_resolver: letsencrypt-http
service_port_keycloak_external: 8110

56
roles/keycloak_compact/tasks/main.yml
Unescape Escape View File

@ -1,56 +0,0 @@
---
### tags:
### configure_realm
- name: "Setup DNS configuration for <{{ keycloak_id }}> to <{{ stage_server_ip }}>"
include_role:
name: hetzner-ansible-dns
vars:
record_data: "{{ stage_server_ip }}"
record_name: "{{ keycloak_id }}"
- name: "Setup DNS configuration for <{{ keycloak_external_subdomain }}> to <{{ stage_server_ip }}>"
include_role:
name: hetzner-ansible-dns
vars:
record_data: "{{ stage_server_ip }}"
record_name: "{{ keycloak_external_subdomain }}"
when: keycloak_external_subdomain is defined
- name: "Check if {{ keycloak_id }}/docker-compose.yml exists"
stat:
path: '{{ service_base_path }}/{{ keycloak_id }}/docker-compose.yml'
register: check_docker_compose_file
- name: "Deploy docker templates for {{ keycloak_id }}"
include_role:
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "keycloak-compact"
current_base_path: "{{ service_base_path }}"
current_destination: "{{ keycloak_id }}"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
- name: "Stop {{ keycloak_id }}"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/{{ keycloak_id }}'
state: absent
when: check_docker_compose_file.stat.exists
- name: "Start {{ keycloak_id }}"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/{{ keycloak_id }}'
state: present
- name: "Setting local keycloak url"
set_fact:
shared_service_url_keycloak: "http://localhost:{{ service_port_keycloak_external }}"
- name: "Wait for <localhost:{{ service_port_keycloak_external }}>"
wait_for:
host: "localhost"
port: '{{ service_port_keycloak_external }}'
delay: 30

6
smardigo.yml
Unescape Escape View File

@ -67,12 +67,6 @@
- role: backup - role: backup
when: "'backup' in group_names" when: "'backup' in group_names"
- role: keycloak_compact
when: "'keycloak_compact' in group_names"
- role: connect_compact
when: "'connect_compact' in group_names"
- role: mpmx - role: mpmx
when: "'mpmx' in group_names" when: "'mpmx' in group_names"

2
tasks/autodiscover_pre_tasks.yml
Unescape Escape View File

@ -192,7 +192,7 @@
tags: tags:
- always - always
- name: "Printing autodicoverd values for <{{ inventory_hostname }}> on stage <{{ stage }}/{{ stage_kube }}>" - name: "Printing autodiscovered values for <{{ inventory_hostname }}> on stage <{{ stage }}/{{ stage_kube }}>"
debug: debug:
msg: msg:
- "host: <{{ inventory_hostname }}>" - "host: <{{ inventory_hostname }}>"

11
templates/connect-compact/config/application-linked-applications.yml.j2
Unescape Escape View File

@ -1,11 +0,0 @@
smardigo:
linked-applications:
-
name: Password Change
url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password
-
name: User Management
url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console
-
name: MPM Process Mining
url: https://mehrwerk-demo.eu.qlikcloud.com

10
templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2
Unescape Escape View File

@ -1,10 +0,0 @@
---
cluster.name: "{{ connect_id }}-elastic"
network.host: 0.0.0.0
discovery.type: single-node
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.monitoring.collection.enabled: true

182
templates/connect-compact/docker-compose.yml.j2
Unescape Escape View File

@ -1,182 +0,0 @@
version: '3.7'
networks:
back-tier:
external: True
front-tier:
external: True
volumes:
{{ connect_id }}-postgres-data: {}
{{ connect_id }}-elastic-data: {}
services:
{{ connect_id }}:
image: "{{ connect_image_name }}:{{ connect_version }}"
container_name: "{{ connect_id }}"
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.{{ connect_id }}.service={{ connect_id }}"
- "traefik.http.routers.{{ connect_id }}.rule=Host(`{{ connect_id }}.{{ domain }}`)"
- "traefik.http.routers.{{ connect_id }}.entrypoints=websecure"
- "traefik.http.routers.{{ connect_id }}.tls=true"
- "traefik.http.routers.{{ connect_id }}.tls.certresolver={{ connect_compact_tls_cert_resolver }}"
- "traefik.http.services.{{ connect_id }}.loadbalancer.server.port=8080"
- "traefik.http.routers.{{ connect_id }}-admin.service={{ connect_id }}-admin"
- "traefik.http.routers.{{ connect_id }}-admin.rule=Host(`{{ connect_id }}.{{ domain }}`)"
- "traefik.http.routers.{{ connect_id }}-admin.entrypoints=admin-service"
- "traefik.http.routers.{{ connect_id }}-admin.tls=true"
- "traefik.http.routers.{{ connect_id }}-admin.tls.certresolver={{ connect_compact_tls_cert_resolver }}"
- "traefik.http.services.{{ connect_id }}-admin.loadbalancer.server.port={{ management_port }}"
{% if
connect_external_subdomain is defined
%}
- "traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern"
- "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)"
- "traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure"
- "traefik.http.routers.{{ connect_id }}-extern.tls=true"
- "traefik.http.routers.{{ connect_id }}-extern.tls.certresolver={{ connect_compact_tls_cert_resolver }}"
- "traefik.http.services.{{ connect_id }}-extern.loadbalancer.server.port=8080"
{% endif %}
environment:
TZ: "Europe/Berlin"
NAME: "MPM eXecution 2.0"
TENANT_ID: "{{ connect_id }}"
ADMIN_LOGIN: "{{ connect_admin_username }}"
ADMIN_PASSWORD: "{{ connect_admin_password }}"
DATASOURCE_URL: "jdbc:postgresql://{{ connect_id }}-postgres:5432/connect-postgres"
DATASOURCE_USERNAME: "{{ connect_postgres_username }}"
DATASOURCE_PASSWORD: "{{ connect_postgres_password }}"
MAIL_PROTOCOL: "smtp"
MAIL_HOST: "smtp.web.de"
MAIL_PORT: "587"
MAIL_USER: "{{ connect_email_username }}"
MAIL_PASSWORD: "{{ connect_email_password }}"
MAIL_PROPERTIES_SIMULATION: "false"
MAIL_PROPERTIES_BASE_URL: "https://{{ connect_id }}.{{ domain }}"
MAIL_PROPERTIES_BASE_URL_EXTERN: "https://{{ connect_id }}.{{ domain }}"
MAIL_PROPERTIES_SENDER: "smardigo.email@web.de"
MAIL_PROPERTIES_SENDER_ALIAS: "noreply-connect"
MAIL_PROPERTIES_SMTP_AUTH: "true"
MAIL_PROPERTIES_SMTP_STARTTLS_ENABLE: "true"
MAIL_PROPERTIES_SMTP_STARTTLS_REQUIRED: "true"
AUTH_MODULE: "oidc"
OIDC_CLIENT_ID: "{{ connect_id }}"
OIDC_CLIENT_SECRET: "{{ connect_id }}"
OIDC_REGISTRATION_ID: "{{ connect_id }}"
OIDC_ISSUER_URI: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}"
PASSWORD_CHANGE_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password"
USER_MANAGEMENT_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console"
IAM_MODULE: "external"
IAM_CLIENT_ENABLED: "true"
EXTERNAL_IAM_SERVER_URL: "http://{{ connect_id }}-iam:8080"
PROCESS_SEARCH_MODULE: "embedded"
ELASTIC_HOST: "{{ connect_id }}-elastic"
ELASTIC_PREFIX: "{{ connect_id }}"
ELASTIC_USERNAME: "{{ elasticsearch_username }}"
ELASTIC_PASSWORD: "{{ elasticsearch_password }}"
ELASTIC_SEARCH_INDEX: "search"
ELASTIC_MESSAGE_INDEX: "message"
ELASTIC_ANALYSIS_INDEX: "analysis"
SPRING_PROFILES_INCLUDE: "linked-applications, swagger, elastic"
PROCESS_SEARCH_MODULE: "external"
SPRINGDOC_SERVER_URL: "https://{{ connect_id }}.{{ domain }}"
SMA_CORS_ORIGINS: "https://{{ connect_id }}.{{ domain }}"
SMA_CORS_ALLOWED_METHODS: "*"
SMA_CORS_ALLOWED_HEADERS: "*"
SMA_CORS_PATH_PATTERN: "/**"
SMA_LANGUAGE_CODE: "en"
SMA_JWT_ENABLED: "True"
SMA_JWT_SECRET: "{{ sma_jwt_secret }}"
RESUBMISSION_ENABLED: "true"
ELEMENT_TEMPLATE_ENABLED: "true"
CONFIG_DELETE_SCOPE_ENABLED: "true"
EXTERNAL_TASK_SCRIPT_WORKER_ENABLED: "false"
CONFIG_DELETE_SCOPE_ENABLED: "true"
CONFIG_LOCAL_IMPORT_ENABLED: "true"
SMA_WORKFLOW_HEATMAP_ENABLED: "true"
LOG_LEVEL_CAMUNDA: "OFF"
LOG_LEVEL_JASYPT: "ERROR"
LOG_LEVEL_MESSAGE_QUEUE: "INFO"
LOG_LEVEL_DOCUMENT_INDEX: "INFO"
LOG_LEVEL_WORKFLOW_INDEX: "INFO"
LOG_LEVEL_WORKFLOW_ANALYSIS: "INFO"
volumes:
- "./config/application-linked-applications.yml:/config/application-linked-applications.yml"
networks:
- "back-tier"
- "front-tier"
{{ connect_id }}-postgres:
image: "postgres:12"
container_name: "{{ connect_id }}-postgres"
restart: always
environment:
POSTGRES_DB: "connect-postgres"
POSTGRES_USER: "{{ connect_postgres_username }}"
POSTGRES_PASSWORD: "{{ connect_postgres_password }}"
volumes:
- "{{ connect_id }}-postgres-data:/var/lib/postgresql/data"
networks:
- "back-tier"
{{ connect_id }}-elastic:
image: "docker.elastic.co/elasticsearch/elasticsearch:7.16.3"
container_name: "{{ connect_id }}-elastic"
restart: always
environment:
ES_JAVA_OPTS: "-Xmx2G -Xms2G"
ELASTIC_PASSWORD: "{{ elasticsearch_password }}"
volumes:
- "./config/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro"
- "{{ connect_id }}-elastic-data:/usr/share/elasticsearch/data"
networks:
- "back-tier"
{{ connect_id }}-kibana:
image: "docker.elastic.co/kibana/kibana:7.16.3"
container_name: "{{ connect_id }}-kibana"
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.{{ connect_id }}-kibana.service={{ connect_id }}-kibana"
- "traefik.http.routers.{{ connect_id }}-kibana.rule=Host(`{{ kibana_id }}.{{ domain }}`)"
- "traefik.http.routers.{{ connect_id }}-kibana.entrypoints=websecure"
- "traefik.http.routers.{{ connect_id }}-kibana.tls=true"
- "traefik.http.routers.{{ connect_id }}-kibana.tls.certresolver={{ connect_compact_tls_cert_resolver }}"
- "traefik.http.services.{{ connect_id }}-kibana.loadbalancer.server.port=5601"
- "traefik.http.routers.{{ connect_id }}-kibana.middlewares={{ connect_id }}-kibana-ipwhitelist"
- "traefik.http.middlewares.{{ connect_id }}-kibana-ipwhitelist.ipwhitelist.sourcerange={{ ( ip_whitelist_netgo ) | join(',') }}"
mem_limit: 1G
volumes:
- "./config/kibana/kibana.yml:/usr/share/kibana/config/kibana.yml:ro"
networks:
- "back-tier"
- "front-tier"
{{ connect_id }}-iam:
image: "{{ iam_image_name }}:{{ iam_version }}"
container_name: "{{ connect_id }}-iam"
restart: always
environment:
SERVER_ERROR_INCLUDE_MESSAGE: "always"
IAM_KEYCLOAK_AUTH_SERVER_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth"
IAM_KEYCLOAK_ADMIN_USER: "{{ keycloak_admin_username }}"
IAM_KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}"
IAM_JWT_CONFIG_READ_TIMEOUT: 3000
IAM_CACHE_TENANTS_TTL: "3600"
IAM_CACHE_ROLES_TTL: "60"
IAM_CACHE_USERS_TTL: "60"
IAM_CACHE_JWKS_TTL: "3600"
networks:
- "back-tier"

61
templates/keycloak-compact/docker-compose.yml.j2
Unescape Escape View File

@ -1,61 +0,0 @@
version: '3.7'
networks:
back-tier:
external: True
front-tier:
external: True
volumes:
{{ keycloak_id }}-postgres-data: {}
services:
{{ keycloak_id }}:
image: "{{ keycloak_image_name }}:{{ keycloak_version }}"
container_name: "{{ keycloak_id }}"
command: "start"
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.{{ keycloak_id }}.service={{ keycloak_id }}"
- "traefik.http.routers.{{ keycloak_id }}.rule=Host(`{{ keycloak_id }}.smardigo.digital`)"
- "traefik.http.routers.{{ keycloak_id }}.entrypoints=websecure"
- "traefik.http.routers.{{ keycloak_id }}.tls=true"
- "traefik.http.routers.{{ keycloak_id }}.tls.certresolver={{ keycloak_compact_tls_cert_resolver }}"
- "traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port=8080"
{% if
keycloak_external_subdomain is defined
%}
- "traefik.http.routers.{{ keycloak_id }}-extern.service={{ keycloak_id }}-extern"
- "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_subdomain }}.smardigo.digital`)"
- "traefik.http.routers.{{ keycloak_id }}-extern.entrypoints=websecure"
- "traefik.http.routers.{{ keycloak_id }}-extern.tls=true"
- "traefik.http.routers.{{ keycloak_id }}-extern.tls.certresolver={{ keycloak_compact_tls_cert_resolver }}"
- "traefik.http.services.{{ keycloak_id }}-extern.loadbalancer.server.port=8080"
{% endif %}
environment:
KEYCLOAK_USER: "{{ keycloak_admin_username }}"
KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}"
KC_PROXY: "edge"
KC_HOSTNAME: "{{ keycloak_id }}.{{ domain_env }}"
KC_DB: "postgres"
KC_DB_USERNAME: "{{ keycloak_postgres_username }}"
KC_DB_PASSWORD: "{{ keycloak_postgres_password }}"
KC_DB_URL: "jdbc:postgresql://{{ keycloak_id }}-postgres:{{ service_port_postgres }}/keycloak-postgres"
networks:
- "back-tier"
- "front-tier"
ports:
- "8110:8080"
{{ keycloak_id }}-postgres:
image: "postgres:12"
container_name: "{{ keycloak_id }}-postgres"
restart: always
environment:
POSTGRES_DB: "keycloak-postgres"
POSTGRES_USER: "{{ keycloak_postgres_username }}"
POSTGRES_PASSWORD: "{{ keycloak_postgres_password }}"
volumes:
- "{{ keycloak_id }}-postgres-data:/var/lib/postgresql/data"
networks:
- "back-tier"
Write Preview
Loading…
Cancel
Save