diff --git a/roles/sram_ldap/defaults/main.yml b/roles/sram_ldap/defaults/main.yml deleted file mode 100644 index 8a36fa76c..000000000 --- a/roles/sram_ldap/defaults/main.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -sram_ldap_image: "ghcr.io/surfscz/sram-ldap:main" -sram_ldap_conf_dir: "{{ current_release_appdir }}/sram/ldap" -sram_ldap_ldif_dir: "{{ sram_ldap_conf_dir }}/schema" -sram_ldap_certs_dir: "{{ sram_ldap_conf_dir }}/certs" -sram_ldap_backup_dir: "{{ sram_ldap_conf_dir }}/ldap" -sram_ldap_data_dir: "{{ sram_ldap_conf_dir}}/data" -sram_ldap_uri: "ldap://localhost/" - -sram_ldap_user: "openldap" -sram_ldap_group: "openldap" - -# admin_group: "ldap_admin" -sram_ldap_admins: - - name: Admin - uid: admin - pw_hash: "!" - sshkey: "" - -sram_ldap_loglevel: "stats stats2 filter" - -sram_ldap_services_password: secret -sram_ldap_monitor_password: secret -sram_ldap_ldap_monitor_password: secret - -sram_ldap_rid_prefix: "ldap://" - -sram_ldap_base_domain: "{{ base_domain }}" -sram_ldap_base_dn: >- - {{ ((sram_ldap_base_domain.split('.')|length)*['dc=']) | - zip(sram_ldap_base_domain.split('.')) | list | map('join', '') | list | join(',') }} -sram_ldap_services_dn: - basedn: "dc=services,{{ sram_ldap_base_dn }}" - o: "Services" - binddn: "cn=admin,{{ sram_ldap_base_dn }}" - -sram_ldap_hosts: {} diff --git a/roles/sram_ldap/files/eduMember.ldif b/roles/sram_ldap/files/eduMember.ldif deleted file mode 100644 index 42894d596..000000000 --- a/roles/sram_ldap/files/eduMember.ldif +++ /dev/null @@ -1,27 +0,0 @@ -dn: cn=eduMember,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: eduMember -# Internet X.500 Schema for Ldappc -# Includes the eduMember ObjectClass schema -# -# -# An auxiliary object class, "eduMember," is a convenient container -# for an extensible set of attributes concerning group memberships. -# At this time, the only attributes specified as belonging to the -# object class are "isMemberOf" and "hasMember." -# -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.1 - NAME 'isMemberOf' - DESC 'identifiers for groups to which containing entity belongs' - EQUALITY caseExactMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.2 - NAME 'hasMember' - DESC 'identifiers for entities that are members of the group' - EQUALITY caseExactMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcObjectClasses: ( 1.3.6.1.4.1.5923.1.5.2.1 - NAME 'eduMember' - AUXILIARY - MAY ( isMemberOf $ hasMember ) - ) diff --git a/roles/sram_ldap/files/eduPerson.ldif b/roles/sram_ldap/files/eduPerson.ldif deleted file mode 100644 index e4f2c96a0..000000000 --- a/roles/sram_ldap/files/eduPerson.ldif +++ /dev/null @@ -1,83 +0,0 @@ -dn: cn=eduperson,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: eduperson -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.1 - NAME 'eduPersonAffiliation' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.7 - NAME 'eduPersonEntitlement' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY caseExactMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 - NAME 'eduPersonNickName' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.3 - NAME 'eduPersonOrgDN' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.4 - NAME 'eduPersonOrgUnitDN' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.5 - NAME 'eduPersonPrimaryAffiliation' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.8 - NAME 'eduPersonPrimaryOrgUnitDN' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.6 - NAME 'eduPersonPrincipalName' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.12 - NAME 'eduPersonPrincipalNamePrior' - DESC 'eduPersonPrincipalNamePrior per Internet2' - EQUALITY caseIgnoreMatch - SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.9 - NAME 'eduPersonScopedAffiliation' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.10 - NAME 'eduPersonTargetedID' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY caseExactMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.11 - NAME 'eduPersonAssurance' - DESC 'eduPerson per Internet2 and EDUCAUSE' - EQUALITY caseExactMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.13 - NAME 'eduPersonUniqueId' - DESC 'eduPersonUniqueId per Internet2' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) -olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.16 - NAME 'eduPersonOrcid' - DESC 'ORCID researcher identifiers belonging to the principal' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcObjectClasses: ( 1.3.6.1.4.1.5923.1.1.2 - NAME 'eduPerson' - AUXILIARY - MAY ( - eduPersonAffiliation $ eduPersonNickname $ eduPersonOrgDN $ - eduPersonOrgUnitDN $ eduPersonPrimaryAffiliation $ - eduPersonPrincipalName $ eduPersonEntitlement $ eduPersonPrimaryOrgUnitDN $ - eduPersonScopedAffiliation $ eduPersonTargetedID $ eduPersonAssurance $ - eduPersonPrincipalNamePrior $ eduPersonUniqueId $ eduPersonOrcid ) - ) diff --git a/roles/sram_ldap/files/groupOfMembers.ldif b/roles/sram_ldap/files/groupOfMembers.ldif deleted file mode 100644 index aa10094d3..000000000 --- a/roles/sram_ldap/files/groupOfMembers.ldif +++ /dev/null @@ -1,19 +0,0 @@ -# Internet X.500 Schema for Ldappc -# Includes the groupOfMembers ObjectClass schema -# -# Taken from RFC2307bis draft 2 -# https://tools.ietf.org/html/draft-howard-rfc2307bis-02 -# -# An structural object class, "groupOfMembers" is a convenient container -# for an extensible set of attributes concerning group memberships. -# -dn: cn=groupOfMembers,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: groupOfMembers -olcObjectClasses: ( 1.3.6.1.1.1.2.18 SUP top STRUCTURAL - NAME 'groupOfMembers' - DESC 'A group with members (DNs)' - MUST cn - MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ - description $ member ) - ) diff --git a/roles/sram_ldap/files/ldap-add b/roles/sram_ldap/files/ldap-add deleted file mode 100644 index 3d0c5e487..000000000 --- a/roles/sram_ldap/files/ldap-add +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env bash - -# Copyright (C) 2015-2019 Maciej Delmanowski -# Copyright (C) 2015-2019 DebOps -# SPDX-License-Identifier: GPL-3.0-only - -# Check if specified LDAP schema file is loaded in the local slapd cn=config -# database. If not, try loading it in the server. - - -set -o nounset -o pipefail -o errexit - -schema_file="${1}" - -if [ -z "${schema_file}" ] ; then - printf "Error: You need to specify schema file to load\\n" && exit 1 -fi - -if [ ! -e "${schema_file}" ] ; then - printf "Error: %s does not exist\\n" "${schema_file}" && exit 1 -fi - -if [ ! -r "${schema_file}" ] ; then - printf "Error: %s is unreadable\\n" "${schema_file}" && exit 1 -fi - -# The schema file is already converted, we can deal with them directly -if [[ "${schema_file}" == *.ldif ]] ; then - - # Get the DN of the schema - schema_dn="$(grep -E '^^dn:\s' "${schema_file}")" - - # Get list of already installed schemas from local LDAP server - schema_list() { - ldapsearch -Y EXTERNAL -H ldapi:/// -LLLQ -b 'cn=schema,cn=config' dn \ - | sed -e '/^$/d' -e 's/{[0-9]\+}//' - } - - if schema_list | grep -q "${schema_dn}" ; then - - # Schema is already installed, do nothing - exit 80 - - else - - # Try installing the schema in the database - ldapadd -Y EXTERNAL -H ldapi:/// -f "${schema_file}" - - fi - -fi diff --git a/roles/sram_ldap/files/ldapPublicKey.ldif b/roles/sram_ldap/files/ldapPublicKey.ldif deleted file mode 100644 index 8968b6e96..000000000 --- a/roles/sram_ldap/files/ldapPublicKey.ldif +++ /dev/null @@ -1,21 +0,0 @@ -dn: cn=openssh-lpk-openldap,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: openssh-lpk-openldap -# -# LDAP Public Key Patch schema for use with openssh-ldappubkey -# useful with PKA-LDAP also -# -# Author: Eric AUGE -# -# Based on the proposal of : Mark Ruijter -# -# octetString SYNTAX -olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' - DESC 'MANDATORY: OpenSSH Public key' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) -# printableString SYNTAX yes|no -olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY - DESC 'MANDATORY: OpenSSH LPK olcObjectClasses:' - MUST ( sshPublicKey $ uid ) - ) diff --git a/roles/sram_ldap/files/sczGroup.ldif b/roles/sram_ldap/files/sczGroup.ldif deleted file mode 100644 index d1b5cb332..000000000 --- a/roles/sram_ldap/files/sczGroup.ldif +++ /dev/null @@ -1,23 +0,0 @@ -# Internet X.500 Schema for Ldappc -# Includes the sczGroup ObjectClass schema -# -# An auxiliary object class, "sczGroup," is a convenient container -# for an extensible set of attributes concerning group memberships. -# At this time, the only attribute specified as belonging to the -# object class is "sczMember." -# -# It is specifically configured to support the memberOf overlay. -# -dn: cn=sczGroup,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: sczGroup -olcAttributeTypes: ( 1.3.6.1.4.1.1076.20.40.50.1.1 - NAME 'sczMember' - DESC 'DN identifiers for entities that are members of the group' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) -olcObjectClasses: ( 1.3.6.1.4.1.1076.20.40.50.1 - NAME 'sczGroup' - AUXILIARY - MAY ( sczMember ) - ) diff --git a/roles/sram_ldap/files/sramPerson.ldif b/roles/sram_ldap/files/sramPerson.ldif deleted file mode 100644 index e194381d1..000000000 --- a/roles/sram_ldap/files/sramPerson.ldif +++ /dev/null @@ -1,23 +0,0 @@ -# Internet X.500 Schema for Ldappc -# Includes the sramPerson ObjectClass schema -# -# An auxiliary object class, "sramPerson," is a convenient container -# for an extensible set of attributes concerning sram persons. -# At this time, the only attribute specified as belonging to the -# object class is "sramInactiveDays". -# -dn: cn=sramPerson,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: sramPerson -olcAttributeTypes: ( 1.3.6.1.4.1.1076.20.100.20.2.1 NAME 'sramInactiveDays' - DESC 'Number of days this entity was inactive' - EQUALITY IntegerMatch - ORDERING IntegerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - ) -olcObjectClasses: ( 1.3.6.1.4.1.1076.20.100.20.1.1 NAME 'sramPerson' - AUXILIARY - MAY ( - sramInactiveDays - ) - ) diff --git a/roles/sram_ldap/files/voPerson.ldif b/roles/sram_ldap/files/voPerson.ldif deleted file mode 100644 index bdce11ed8..000000000 --- a/roles/sram_ldap/files/voPerson.ldif +++ /dev/null @@ -1,44 +0,0 @@ -dn: cn=voperson,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: voperson -olcAttributeTypes: {0}( 1.3.6.1.4.1.34998.3.3.1.1 NAME 'voPersonApplicationUID - ' DESC 'voPerson Application-Specific User Identifier' EQUALITY caseIgnoreMat - ch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) -olcAttributeTypes: {1}( 1.3.6.1.4.1.34998.3.3.1.2 NAME 'voPersonAuthorName' DE - SC 'voPerson Author Name' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.1 - 15.121.1.15' ) -olcAttributeTypes: {2}( 1.3.6.1.4.1.34998.3.3.1.3 NAME 'voPersonCertificateDN' - DESC 'voPerson Certificate Distinguished Name' EQUALITY distinguishedNameMat - ch SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' ) -olcAttributeTypes: {3}( 1.3.6.1.4.1.34998.3.3.1.4 NAME 'voPersonCertificateIss - uerDN' DESC 'voPerson Certificate Issuer DN' EQUALITY distinguishedNameMatch - SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' ) -olcAttributeTypes: {4}( 1.3.6.1.4.1.34998.3.3.1.5 NAME 'voPersonExternalID' DE - SC 'voPerson Scoped External Identifier' EQUALITY caseIgnoreMatch SYNTAX '1.3 - .6.1.4.1.1466.115.121.1.15' ) -olcAttributeTypes: {5}( 1.3.6.1.4.1.34998.3.3.1.6 NAME 'voPersonID' DESC 'voPe - rson Unique Identifier' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115 - .121.1.15' ) -olcAttributeTypes: {6}( 1.3.6.1.4.1.34998.3.3.1.7 NAME 'voPersonPolicyAgreemen - t' DESC 'voPerson Policy Agreement Indicator' EQUALITY caseIgnoreMatch SYNTAX - '1.3.6.1.4.1.1466.115.121.1.15' ) -olcAttributeTypes: {7}( 1.3.6.1.4.1.34998.3.3.1.8 NAME 'voPersonSoRID' DESC 'v - oPerson External Identifier' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.146 - 6.115.121.1.15' ) -olcAttributeTypes: {8}( 1.3.6.1.4.1.34998.3.3.1.9 NAME 'voPersonStatus' DESC ' - voPerson Status' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1. - 15' ) -olcAttributeTypes: {9}( 1.3.6.1.4.1.34998.3.3.1.10 NAME 'voPersonAffiliation' - DESC 'voPerson Affiliation Within Local Scope' EQUALITY caseIgnoreMatch SYNTA - X '1.3.6.1.4.1.1466.115.121.1.15' ) -olcAttributeTypes: {10}( 1.3.6.1.4.1.34998.3.3.1.11 NAME 'voPersonExternalAffi - liation' DESC 'voPerson Scoped External Affiliation' EQUALITY caseIgnoreMatch - SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) -olcAttributeTypes: {11}( 1.3.6.1.4.1.34998.3.3.1.12 NAME 'voPersonScopedAffili - ation' DESC 'voPerson Affiliation With Explicit Local Scope' EQUALITY caseIgn - oreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) -olcObjectClasses: {0}( 1.3.6.1.4.1.34998.3.3.1 NAME 'voPerson' AUXILIARY MAY ( - voPersonAffiliation $ voPersonApplicationUID $ voPersonAuthorName $ voPerson - CertificateDN $ voPersonCertificateIssuerDN $ voPersonExternalAffiliation $ v - oPersonExternalID $ voPersonID $ voPersonPolicyAgreement $ voPersonScopedAffi - liation $ voPersonSoRID $ voPersonStatus ) ) diff --git a/roles/sram_ldap/handlers/main.yml b/roles/sram_ldap/handlers/main.yml deleted file mode 100644 index f6136cfeb..000000000 --- a/roles/sram_ldap/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Restart the ldap container - community.docker.docker_container: - name: "sram-ldap" - restart: true - state: started diff --git a/roles/sram_ldap/tasks/admins.yml b/roles/sram_ldap/tasks/admins.yml deleted file mode 100644 index 85ef3a594..000000000 --- a/roles/sram_ldap/tasks/admins.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -- name: determine ldap admins - set_fact: - ldap_admins: "{{ sram_ldap_admins }}" - -# Find existing ldap admins -- name: Initialize admins (Ia) - community.general.ldap_search: - dn: "{{ sram_ldap_services_dn.basedn }}" - scope: "onelevel" - filter: "(objectClass=organizationalRole)" - attrs: - - "cn" - bind_dn: "{{ sram_ldap_services_dn.binddn }}" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{sram_ldap_uri }}" - register: "existing_ldap_admins_result" - -# ansible trips over stuff like this: we need to extract the results from the result -- name: Initialize admins (Ib) - set_fact: - existing_ldap_admins: "{{ existing_ldap_admins_result.results }}" - -# Remove LDAP non-admins -- name: Initialize admins (II) - community.general.ldap_entry: - dn: "cn={{ item.cn }},{{ sram_ldap_services_dn.basedn }}" - state: absent - bind_dn: "{{ sram_ldap_services_dn.binddn }}" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - when: > - item.cn not in ldap_admins | map(attribute='uid') - and item.cn != 'admin' - loop: "{{existing_ldap_admins}}" - -# Insert LDAP admins -- name: Initialize admins (III) - community.general.ldap_entry: - dn: "cn={{ item.uid }},{{ sram_ldap_services_dn.basedn }}" - objectClass: - - simpleSecurityObject - - organizationalRole - attributes: - description: An LDAP administrator - userPassword: "{{ item.pw_hash }}" - bind_dn: "{{ sram_ldap_services_dn.binddn }}" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - loop: "{{ ldap_admins }}" - -# Make sure passwords are updated for existing admins -- name: Initialize admins (IV) - community.general.ldap_attrs: - dn: "cn={{ item.uid }},{{ sram_ldap_services_dn.basedn }}" - attributes: - userPassword: "{{ item.pw_hash }}" - bind_dn: "{{ sram_ldap_services_dn.binddn }}" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - loop: "{{ ldap_admins }}" - diff --git a/roles/sram_ldap/tasks/main.yml b/roles/sram_ldap/tasks/main.yml deleted file mode 100644 index b6da9cb18..000000000 --- a/roles/sram_ldap/tasks/main.yml +++ /dev/null @@ -1,305 +0,0 @@ ---- -# playbook to install and configure all components of the LDAP -- name: Install LDAP utils - apt: - state: "present" - name: - - "python3-ldap" # for ansible ldap modules - install_recommends: false - -- name: Ensure that a number of directories exist - file: - path: "{{ item.path }}" - state: "directory" - mode: "{{ item.mode }}" - with_items: - - { path: "{{sram_ldap_ldif_dir}}", mode: "0755" } - - { path: "{{sram_ldap_certs_dir}}", mode: "0755" } - - { path: "{{sram_ldap_data_dir}}", mode: "0777" } - notify: Restart the ldap container - -- name: Copy schemas - copy: - src: "{{ item }}" - dest: "{{ sram_ldap_ldif_dir }}/{{ item }}" - mode: "0644" - with_items: - - sczGroup.ldif - - groupOfMembers.ldif - - eduPerson.ldif - - ldapPublicKey.ldif - - eduMember.ldif - - voPerson.ldif - - sramPerson.ldif - notify: Restart the ldap container - -- name: Copying ldap-add script - copy: - src: "{{ item }}" - dest: "{{ sram_ldap_conf_dir }}/{{ item }}" - mode: "0755" - with_items: - - ldap-add - -- name: Setup ldap hosts - vars: - host: - key: "%s.{{ sram_ldap_base_domain }}" - value: "%s" - etc_hosts: {} - set_fact: - etc_hosts: >- - {{ etc_hosts | - combine({ host.key | format(item.key): host.value | format(item.value) }) }} - with_dict: "{{ sram_ldap_hosts }}" - -- name: "Pull ldap image" - community.docker.docker_image_pull: - name: "{{ sram_ldap_image }}" - register: "ldap_image" - -- name: Create the ldap container - community.docker.docker_container: - name: "sram-ldap" - image: "{{ sram_ldap_image }}" - restart_policy: "always" - state: started - restart: "{{ ldap_image is changed }}" - pull: never - ports: - - 0.0.0.0:389:389 - env: - LDAP_ORGANISATION: "{{ env }}" - LDAP_DOMAIN: "{{ sram_ldap_base_domain }}" - LDAP_ROOTPASS: "{{ sram_ldap_services_password }}" - etc_hosts: "{{ etc_hosts }}" - volumes: - - "{{ sram_ldap_conf_dir }}:/opt/ldap" - networks: - - name: "loadbalancer" - labels: - traefik.enable: "true" - traefik.tcp.routers.ldap.entrypoints: "ldaps" - traefik.tcp.routers.ldap.rule: "HostSNI(`*`)" - traefik.tcp.routers.ldap.tls: "true" - traefik.tcp.services.ldap.loadbalancer.server.port: "389" - healthcheck: - test: - - "CMD" - - "bash" - - "-c" - - "[[ -S /var/run/slapd/ldapi ]]" - register: "ldap_container" - -- name: Wait for LDAP initialization - ansible.builtin.wait_for: - port: 389 - delay: 5 - -- name: Wait for 5 seconds - ansible.builtin.wait_for: - timeout: 5 - when: "ldap_container is changed" - -- name: Ensure the schemas are added to LDAP - ansible.builtin.shell: - cmd: "docker exec sram-ldap /opt/ldap/ldap-add /opt/ldap/schema/{{ item }}" - register: "result" - failed_when: "result.rc not in [0,80]" - changed_when: "result.rc != 80" - become: true - loop: - - "sczGroup.ldif" - - "groupOfMembers.ldif" - - "eduPerson.ldif" - - "ldapPublicKey.ldif" - - "eduMember.ldif" - - "voPerson.ldif" - - "sramPerson.ldif" - -- name: Set indices - community.general.ldap_attrs: - dn: "olcDatabase={1}mdb,cn=config" - attributes: - olcDbIndex: "{{item}}" - state: "present" - bind_dn: "cn=admin,cn=config" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - with_items: - - "entryUUID eq" - - "o eq" - - "dc eq" - - "entryCSN eq" - -- name: Set olcDatabase={-1}frontend olcSizeLimit - community.general.ldap_attrs: - dn: "olcDatabase={-1}frontend,cn=config" - state: "exact" - attributes: - olcSizeLimit: "unlimited" - bind_dn: "cn=admin,cn=config" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - -- name: Set config - community.general.ldap_attrs: - dn: "cn=config" - state: "present" - attributes: - olcServerID: "{{ sram_ldap_server_id }}" - olcSizeLimit: "unlimited" - olcLogLevel: "{{ sram_ldap_loglevel }}" - olcAttributeOptions: "time-" - bind_dn: "cn=admin,cn=config" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - -- name: Setup Modules - community.general.ldap_attrs: - dn: cn=module{0},cn=config - attributes: - olcModuleLoad: - - syncprov - - dynlist.so - bind_dn: "cn=admin,cn=config" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - -- name: Setup Dynlist - community.general.ldap_entry: - dn: olcOverlay=dynlist,olcDatabase={1}mdb,cn=config - objectClass: - - olcOverlayConfig - - olcDynamicList - attributes: - olcDlAttrSet: "voPerson labeledURI member+memberOf@groupOfMembers" - bind_dn: "cn=admin,cn=config" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - -- name: Setup Syncprov - community.general.ldap_entry: - dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config - objectClass: - - olcOverlayConfig - - olcSyncProvConfig - attributes: - olcSpCheckpoint: 100 10 - olcSpSessionLog: 100 - bind_dn: "cn=admin,cn=config" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - -- name: Set ACLs - community.general.ldap_attrs: - dn: "olcDatabase={1}mdb,cn=config" - attributes: - olcAccess: - - >- - to dn.regex="(([^,]+),{{ sram_ldap_services_dn.basedn }})$" - by dn.exact="{{ sram_ldap_services_dn.binddn }}" write - by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write - by dn.exact,expand="cn=admin,$1" read - by * break - - >- - to * - by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage - by dn.regex="cn=[^,]+,{{ sram_ldap_services_dn.basedn }}" read - {% if env=="vm" %} - by dn.exact=gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth manage - {% endif %} - by * break - - >- - to attrs=userPassword - by self write - by anonymous auth - by * break - state: exact - ordered: true - bind_dn: "cn=admin,cn=config" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - -# sram_ldap_rids: -# 101: ldaps://ldap1.scz-vm.net/ -# 102: ldaps://ldap2.scz-vm.net/ - -- name: Set rids - vars: - start: 101 - rid: - key: "%d" - value: "{{ sram_ldap_rid_prefix }}%s.{{ sram_ldap_base_domain }}/" - ldap_rids: {} - set_fact: - ldap_rids: >- - {{ ldap_rids | combine({ rid.key | format(start|int): - rid.value | format(item.key) }) }} - start: "{{ start|int + 1 }}" - with_dict: "{{ sram_ldap_hosts | dict2items | sort(attribute='key') }}" - -# Voor toekomstige Claude gebruikers: onderstaande construct levert aan het eind -# een string representatie van de dict op, die niet meer gebruikt kan worden -# in de hieropvolgende 'Setup rids' task... -# - name: Set rids -# set_fact: -# ldap_rids: >- -# {%- set result = {} %} -# {%- for host in (ldap_hosts | dict2items | sort(attribute='key')) %} -# {%- set _ = result.update({(101 + loop.index0)|string: \ -# ldap_rid_prefix ~ host.key ~ '.' ~ base_domain ~ '/'}) %} -# {%- endfor %} -# {{ result }} - -- name: Setup rids - vars: - rid: >- - rid={} - provider="{}" - searchbase="{{ sram_ldap_services_dn.basedn }}" - type=refreshAndPersist - bindmethod=simple - binddn="{{ sram_ldap_services_dn.binddn }}" - credentials={{ sram_ldap_services_password }} - retry="30 +" - timeout=30 - network-timeout=5 - rids: [] - set_fact: - rids: "{{ rids + [ rid.format(item.key, item.value) ] }}" - with_dict: "{{ dict(ldap_rids) }}" - -- name: Setup Syncrepl - community.general.ldap_attrs: - dn: olcDatabase={1}mdb,cn=config - attributes: - olcSyncrepl: "{{ rids }}" - olcMultiProvider: "TRUE" - bind_dn: "cn=admin,cn=config" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - -# We now have Syncrepl in place, so only write to primary -- name: Initialize DIT - community.general.ldap_entry: - dn: "{{ sram_ldap_services_dn.basedn }}" - state: "present" - objectClass: - - "top" - - "dcObject" - - "organization" - attributes: - dc: "{{ sram_ldap_services_dn.basedn | regex_replace('^dc=([^,]+).*', '\\1') }}" - o: "{{ sram_ldap_services_dn.o }}" - bind_dn: "{{ sram_ldap_services_dn.binddn }}" - bind_pw: "{{ sram_ldap_services_password }}" - server_uri: "{{ sram_ldap_uri }}" - when: > - inventory_hostname in groups['sram_ldap_primary'] - -# We now have Syncrepl in place, so only write to primary -- name: Add ldap admins - include_tasks: "admins.yml" - when: > - inventory_hostname in groups['sram_ldap_primary'] diff --git a/roles/sram_ldap/templates/ldap.conf.j2 b/roles/sram_ldap/templates/ldap.conf.j2 deleted file mode 100644 index d7fa7c227..000000000 --- a/roles/sram_ldap/templates/ldap.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -# -# LDAP Defaults -# - -# See ldap.conf(5) for details -# This file should be world readable but not world writable. - -#BASE dc=example,dc=com -#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 - -#SIZELIMIT 12 -#TIMELIMIT 15 -#DEREF never - -# TLS certificates (needed for GnuTLS) -TLS_CACERT {{ ssl_certs_dir }}/{{ internal_base_domain }}.crt diff --git a/roles/sram_midproxy/defaults/main.yml b/roles/sram_midproxy/defaults/main.yml deleted file mode 100644 index 585af3dd6..000000000 --- a/roles/sram_midproxy/defaults/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -sram_midproxy_user: midproxy -sram_midproxy_group: midproxy -sram_midproxy_satosa_version: 8 -sram_midproxy_state_encryption_key: 'secret' -sram_midproxy_issuer: 'issuer' -sram_midproxy_client_id: 'client' -sram_midproxy_client_secret: 'secret' -sram_midproxy_sp_metadata: 'eb-metadata.xml' diff --git a/roles/sram_midproxy/files/internal_attributes.yaml b/roles/sram_midproxy/files/internal_attributes.yaml deleted file mode 100644 index eb3dcd66e..000000000 --- a/roles/sram_midproxy/files/internal_attributes.yaml +++ /dev/null @@ -1,22 +0,0 @@ -attributes: - displayname: - openid: [name] - saml: [displayName] - givenname: - openid: [given_name] - saml: [givenName] - mail: - openid: [email] - saml: [mail] - name: - openid: [name] - saml: [cn] - surname: - openid: [family_name] - saml: [sn, surname] - uid: - openid: [sub] - saml: [uid] - schachomeorganization: - openid: [schac_home_organization] - saml: [schacHomeOrganization] diff --git a/roles/sram_midproxy/files/plugins/attribute-maps/basic.py b/roles/sram_midproxy/files/plugins/attribute-maps/basic.py deleted file mode 100644 index f98466df5..000000000 --- a/roles/sram_midproxy/files/plugins/attribute-maps/basic.py +++ /dev/null @@ -1,51 +0,0 @@ -DEF = "urn:mace:dir:attribute-def:" -TERENA = "urn:mace:terena.org:attribute-def:" - -MAP = { - "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", - "fro": { - f"{TERENA}schacHomeOrganization": "schacHomeOrganization", - f"{DEF}cn": "cn", - f"{DEF}displayName": "displayName", - f"{DEF}eduPersonAffiliation": "eduPersonAffiliation", - f"{DEF}eduPersonEntitlement": "eduPersonEntitlement", - f"{DEF}eduPersonPrincipalName": "eduPersonPrincipalName", - f"{DEF}eduPersonScopedAffiliation": "eduPersonScopedAffiliation", - f"{DEF}eduPersonTargetedID": "eduPersonTargetedID", - f"{DEF}eduPersonAssurance": "eduPersonAssurance", - f"{DEF}email": "email", - f"{DEF}emailAddress": "emailAddress", - f"{DEF}givenName": "givenName", - f"{DEF}gn": "gn", - f"{DEF}isMemberOf": "isMemberOf", - f"{DEF}mail": "mail", - f"{DEF}member": "member", - f"{DEF}name": "name", - f"{DEF}sn": "sn", - f"{DEF}surname": "surname", - f"{DEF}uid": "uid", - }, - "to": { - "schacHomeOrganization": f"{TERENA}schacHomeOrganization", - "cn": f"{DEF}cn", - "displayName": f"{DEF}displayName", - "eduPersonAffiliation": f"{DEF}eduPersonAffiliation", - "eduPersonEntitlement": f"{DEF}eduPersonEntitlement", - "eduPersonPrincipalName": f"{DEF}eduPersonPrincipalName", - "eduPersonScopedAffiliation": f"{DEF}eduPersonScopedAffiliation", - "eduPersonTargetedID": f"{DEF}eduPersonTargetedID", - "eduPersonAssurance": f"{DEF}eduPersonAssurance", - "eduPersonOrcid": f"{DEF}eduPersonOrcid", - "email": f"{DEF}email", - "emailAddress": f"{DEF}emailAddress", - "givenName": f"{DEF}givenName", - "gn": f"{DEF}gn", - "isMemberOf": f"{DEF}isMemberOf", - "mail": f"{DEF}mail", - "member": f"{DEF}member", - "name": f"{DEF}name", - "sn": f"{DEF}sn", - "surname": f"{DEF}surname", - "uid": f"{DEF}uid", - }, -} diff --git a/roles/sram_midproxy/files/plugins/backends/openid_backend.yaml b/roles/sram_midproxy/files/plugins/backends/openid_backend.yaml deleted file mode 100644 index cb78fcccd..000000000 --- a/roles/sram_midproxy/files/plugins/backends/openid_backend.yaml +++ /dev/null @@ -1,14 +0,0 @@ -module: satosa.backends.openid_connect.OpenIDConnectBackend -name: myaccessid -config: - provider_metadata: - issuer: !ENV SATOSA_ISSUER - client: - verify_ssl: yes - auth_req_params: - response_type: code - scope: [openid, profile, email, schac_home_organization] - client_metadata: - client_id: !ENV SATOSA_CLIENT_ID - client_secret: !ENV SATOSA_CLIENT_SECRET - redirect_uris: [/] diff --git a/roles/sram_midproxy/files/plugins/backends/saml2_backend.yaml b/roles/sram_midproxy/files/plugins/backends/saml2_backend.yaml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/sram_midproxy/files/plugins/backends/saml2_backend.yaml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/sram_midproxy/files/plugins/frontends/ping_frontend.yaml b/roles/sram_midproxy/files/plugins/frontends/ping_frontend.yaml deleted file mode 100644 index c09b218b6..000000000 --- a/roles/sram_midproxy/files/plugins/frontends/ping_frontend.yaml +++ /dev/null @@ -1,3 +0,0 @@ -module: satosa.frontends.ping.PingFrontend -name: ping -config: null diff --git a/roles/sram_midproxy/files/plugins/frontends/saml2_frontend.yaml b/roles/sram_midproxy/files/plugins/frontends/saml2_frontend.yaml deleted file mode 100644 index 1f8029b66..000000000 --- a/roles/sram_midproxy/files/plugins/frontends/saml2_frontend.yaml +++ /dev/null @@ -1,63 +0,0 @@ -module: satosa.frontends.saml2.SAMLFrontend -name: idp -config: - #acr_mapping: - # "": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" - # "https://accounts.google.com": "http://eidas.europa.eu/LoA/low" - - endpoints: - single_sign_on_service: - 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post - 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect - - # If configured and not false or empty the common domain cookie _saml_idp will be set - # with or have appended the IdP used for authentication. The default is not to set the - # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie - # will be set to the value for the 'domain' key. If no 'domain' is set then the domain - # from the BASE defined for the proxy will be used. - #common_domain_cookie: - # domain: .example.com - - entityid_endpoint: true - enable_metadata_reload: no - - idp_config: - organization: {display_name: SURF, name: SURF, url: 'https://www.surf.nl/'} - contact_person: - - {contact_type: technical, email_address: 'mailto:sram-beheer@surf.nl', given_name: Technical} - - {contact_type: support, email_address: 'mailto:sram-beheer@surf.nl', given_name: Support} - - {contact_type: other, email_address: 'mailto:sram-beheer@surf.nl', given_name: Security, extension_attributes: {'xmlns:remd': 'http://refeds.org/metadata', 'remd:contactType': 'http://refeds.org/metadata/contactType/security'}} - key_file: frontend.key - cert_file: frontend.crt - metadata: - # remote: - # - url: https://engine.test2.surfconext.nl/authentication/sp/metadata - # cert: null - local: [!ENV SATOSA_SP_METADATA] - entityid: //proxy.xml - accepted_time_diff: 60 - attribute_map_dir: plugins/attribute-maps - service: - idp: - endpoints: - single_sign_on_service: [] - name: Proxy IdP - ui_info: - display_name: - - lang: en - text: "MyAccessID proxy" - description: - - lang: en - text: "MyAccessID proxy" - keywords: - - lang: en - text: ["MyAccessID", "proxy"] - name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'] - policy: - default: - fail_on_missing_requested: false - name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:basic - attribute_restrictions: null - lifetime: {minutes: 15} - encrypt_assertion: false - encrypted_advice_attributes: false diff --git a/roles/sram_midproxy/files/plugins/microservices/generate_attributes.yaml b/roles/sram_midproxy/files/plugins/microservices/generate_attributes.yaml deleted file mode 100644 index 86ac4e1f1..000000000 --- a/roles/sram_midproxy/files/plugins/microservices/generate_attributes.yaml +++ /dev/null @@ -1,8 +0,0 @@ -module: satosa.micro_services.attribute_generation.AddSyntheticAttributes -name: AddSyntheticAttributes -config: - synthetic_attributes: - default: - default: - schachomeorganization: >- - {{ uid.scope }} diff --git a/roles/sram_midproxy/files/plugins/microservices/regex_attributes.yaml b/roles/sram_midproxy/files/plugins/microservices/regex_attributes.yaml deleted file mode 100644 index e820311e7..000000000 --- a/roles/sram_midproxy/files/plugins/microservices/regex_attributes.yaml +++ /dev/null @@ -1,10 +0,0 @@ -module: satosa.micro_services.attribute_processor.AttributeProcessor -name: RegexAttributeProcessor -config: - process: - - attribute: uid - processors: - - name: RegexSubProcessor - module: satosa.micro_services.processors.regex_sub_processor - regex_sub_match_pattern: ^(.+)@.+$ - regex_sub_replace_pattern: \1 diff --git a/roles/sram_midproxy/files/proxy_conf.yaml b/roles/sram_midproxy/files/proxy_conf.yaml deleted file mode 100644 index 136268e61..000000000 --- a/roles/sram_midproxy/files/proxy_conf.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# BASE: https://example.com -BASE: !ENV SATOSA_BASE - -COOKIE_STATE_NAME: "SATOSA_STATE" -CONTEXT_STATE_DELETE: yes -#STATE_ENCRYPTION_KEY: "asdASD123" - -cookies_samesite_compat: - - ["SATOSA_STATE", "SATOSA_STATE_LEGACY"] - -INTERNAL_ATTRIBUTES: "internal_attributes.yaml" - -BACKEND_MODULES: - - "plugins/backends/openid_backend.yaml" - -FRONTEND_MODULES: - - "plugins/frontends/saml2_frontend.yaml" - - "plugins/frontends/ping_frontend.yaml" - -MICRO_SERVICES: - - "plugins/microservices/generate_attributes.yaml" - - "plugins/microservices/regex_attributes.yaml" - -LOGGING: - version: 1 - formatters: - simple: - format: "[%(asctime)s] [%(levelname)s] [%(name)s.%(funcName)s] %(message)s" - handlers: - stdout: - class: logging.StreamHandler - stream: "ext://sys.stdout" - level: INFO - formatter: simple - syslog: - class: logging.handlers.SysLogHandler - address: "/dev/log" - level: INFO - formatter: simple - debug_file: - class: logging.FileHandler - filename: satosa-debug.log - encoding: utf8 - level: INFO - formatter: simple - error_file: - class: logging.FileHandler - filename: satosa-error.log - encoding: utf8 - level: ERROR - formatter: simple - info_file: - class: logging.handlers.RotatingFileHandler - filename: satosa-info.log - encoding: utf8 - maxBytes: 10485760 # 10MB - backupCount: 20 - level: INFO - formatter: simple - loggers: - satosa: - level: INFO - saml2: - level: INFO - oidcendpoint: - level: INFO - pyop: - level: INFO - oic: - level: INFO - root: - level: INFO - handlers: - - stdout diff --git a/roles/sram_midproxy/tasks/main.yml b/roles/sram_midproxy/tasks/main.yml deleted file mode 100644 index 19125220b..000000000 --- a/roles/sram_midproxy/tasks/main.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -- name: "Create midproxy group" - group: - name: "{{ sram_midproxy_group }}" - state: "present" - register: "result" - -- name: "Create midproxy user" - user: - name: "{{ sram_midproxy_user }}" - group: "{{ sram_midproxy_group }}" - comment: "User to run Midproxy service" - shell: "/bin/false" - password: "!" - create_home: false - state: "present" - register: "result" - -- name: "Save midproxy user uid" - set_fact: - # --check fails on result.uid if user was never provisioned - midproxy_user_uid: "{{ result.uid | default(1000) }}" - -- name: Create directory to keep configfile - ansible.builtin.file: - dest: "/opt/sram/midproxy" - state: directory - owner: "{{ sram_midproxy_user }}" - group: "{{ sram_midproxy_group }}" - # mkdir: cannot create directory '.': Permission denied - mode: "0777" - -- name: Copy EB SP metadata - ansible.builtin.copy: - src: "{{ inventory_dir }}/files/sram_midproxy/{{ sram_midproxy_sp_metadata }}" - dest: "/opt/sram/midproxy/{{ sram_midproxy_sp_metadata }}" - owner: "{{ sram_midproxy_user }}" - group: "{{ sram_midproxy_group }}" - # mkdir: cannot create directory '.': Permission denied - mode: "0644" - -- name: Copy SATOSA conf files - ansible.builtin.copy: - src: "{{ item }}" - dest: "/opt/sram/midproxy/{{ item }}" - owner: "{{ sram_midproxy_user }}" - group: "{{ sram_midproxy_group }}" - with_items: - - internal_attributes.yaml - - proxy_conf.yaml - - plugins/ - -- name: "Pull satosa image" - community.docker.docker_image_pull: - name: "{{ sram_midproxy_satosa_image }}" - register: "satosa_image" - -- name: Create the SATOSA container - community.docker.docker_container: - name: sram-midproxy - image: "{{ sram_midproxy_satosa_image }}" - pull: never - restart_policy: "always" - state: started - restart: "{{ satosa_image is changed }}" - # 2026-05-21 07:25:44 +0000] [1] [ERROR] Control server error: [Errno 13] Permission denied: '/.gunicorn' - # user: "{{ midproxy_user_uid }}" - networks: - - name: "loadbalancer" - env: - SATOSA_BASE: 'https://midproxy.{{ openconextaccess_base_domain }}' - SATOSA_STATE_ENCRYPTION_KEY: '{{ sram_midproxy_state_encryption_key }}' - SATOSA_SP_METADATA: '{{ sram_midproxy_sp_metadata }}' - SATOSA_ISSUER: '{{ sram_midproxy_issuer }}' - SATOSA_CLIENT_ID: '{{ sram_midproxy_client_id }}' - SATOSA_CLIENT_SECRET: '{{ sram_midproxy_client_secret }}' - volumes: - - /opt/sram/midproxy:/etc/satosa - labels: - traefik.http.routers.midproxy.rule: "Host(`midproxy.{{ openconextaccess_base_domain }}`)" - traefik.http.routers.midproxy.tls: "true" - traefik.enable: "true" - # curl is not availavble in the minimized satosa image - # so this healthcheck won't work - # healthcheck: - # test: ["CMD", "curl", "--fail" , "http://localhost" ] - # interval: 10s - # timeout: 10s - # retries: 3 - # start_period: 10s diff --git a/roles/sram_plsc/defaults/main.yml b/roles/sram_plsc/defaults/main.yml deleted file mode 100644 index 6dd2780a1..000000000 --- a/roles/sram_plsc/defaults/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -sram_plsc_image: "ghcr.io/surfscz/sram-plsc:main" -sram_plsc_conf_dir: "{{current_release_appdir}}/sram/plsc" -sram_plsc_ansible_nolog: false -sram_plsc_ldap_uri: "ldap://ldap:389/" -sram_plsc_ldap_basedn: "dc=services,dc=vnet" -sram_plsc_ldap_binddn: "cn=admin,dc=vnet" -sram_plsc_ldap_password: "secret" -sram_plsc_sbs_host: "http://sbs-server:8080" -sram_plsc_sbs_user: "sysread" -sram_plsc_sbs_password: "secret" -sram_plsc_retry: 3 diff --git a/roles/sram_plsc/handlers/main.yml b/roles/sram_plsc/handlers/main.yml deleted file mode 100644 index a0dee373a..000000000 --- a/roles/sram_plsc/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Restart the plsc container - community.docker.docker_container: - name: sram-plsc - restart: true - state: started diff --git a/roles/sram_plsc/tasks/main.yml b/roles/sram_plsc/tasks/main.yml deleted file mode 100644 index 365cf0866..000000000 --- a/roles/sram_plsc/tasks/main.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -- name: Make sure clients sync directory exists - file: - path: "{{ sram_plsc_conf_dir }}" - state: directory - mode: "0755" - -- name: "Create plsc.yml source if it doesn't exist" - template: - src: "plsc.yml.j2" - dest: "{{ sram_plsc_conf_dir }}/plsc.yml" - mode: "0640" - no_log: "{{ sram_plsc_ansible_nolog }}" - notify: "Restart the plsc container" - -- name: "Pull plsc image" - community.docker.docker_image_pull: - name: "{{ sram_plsc_image }}" - register: "plsc_image" - -- name: Create the plsc container - community.docker.docker_container: - name: "sram-plsc" - image: "{{ sram_plsc_image }}" - restart_policy: "always" - state: started - restart: "{{ plsc_image is changed }}" - pull: never - mounts: - - type: bind - source: "{{ sram_plsc_conf_dir }}/plsc.yml" - target: "/opt/plsc/plsc.yml" - networks: - # TODO: Should this not be parametrized? - - name: "loadbalancer" diff --git a/roles/sram_plsc/templates/plsc.yml.j2 b/roles/sram_plsc/templates/plsc.yml.j2 deleted file mode 100644 index 069f14d8b..000000000 --- a/roles/sram_plsc/templates/plsc.yml.j2 +++ /dev/null @@ -1,25 +0,0 @@ ---- -ldap: - src: - uri: "{{ sram_plsc_ldap_uri }}" - basedn: "{{ sram_plsc_ldap_basedn }}" - binddn: "{{ sram_plsc_ldap_binddn }}" - passwd: "{{ sram_plsc_ldap_password }}" - sizelimit: 500 - dst: - uri: "{{ sram_plsc_ldap_uri }}" - basedn: "{{ sram_plsc_ldap_basedn }}" - binddn: "{{ sram_plsc_ldap_binddn }}" - passwd: "{{ sram_plsc_ldap_password }}" - sizelimit: 500 -sbs: - src: - host: "{{ sram_plsc_sbs_host }}" - user: "{{ sram_plsc_sbs_user }}" - passwd: "{{ sram_plsc_sbs_password }}" - verify_ssl: {{ false if env=='vm' else true }} - timeout: 60 - retry: {{ sram_plsc_retry }} -pwd: "{CRYPT}!" -uid: 1000 -gid: 1000 diff --git a/roles/sram_redis/defaults/main.yml b/roles/sram_redis/defaults/main.yml deleted file mode 100644 index 28022a1af..000000000 --- a/roles/sram_redis/defaults/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -sram_redis_image: "docker.io/library/redis:7" -sram_redis_conf_dir: "{{ current_release_appdir }}/sram/redis" -sram_redis_data_dir: "{{ current_release_appdir }}/sram/redis/data" -sram_redis_user: redis -sram_redis_group: redis -sram_redis_redis_user: default -sram_redis_redis_password: changethispassword -sram_redis_max_memory: 100mb diff --git a/roles/sram_redis/handlers/main.yml b/roles/sram_redis/handlers/main.yml deleted file mode 100644 index b08f0b62b..000000000 --- a/roles/sram_redis/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Restart redis container - community.docker.docker_container: - name: sram-redis - state: started - restart: true diff --git a/roles/sram_redis/tasks/main.yml b/roles/sram_redis/tasks/main.yml deleted file mode 100644 index c4c8286c6..000000000 --- a/roles/sram_redis/tasks/main.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -- name: "Create redis group" - group: - name: "{{ sram_redis_group }}" - state: "present" - register: "result" - -- name: "Save redis group gid" - set_fact: - redis_group_gid: "{{ result.gid }}" - -- name: "Create redis user" - user: - name: "{{ sram_redis_user }}" - group: "{{ sram_redis_group }}" - comment: "User to run SRAM Redis service" - shell: "/bin/false" - password: "!" - home: "{{ sram_redis_conf_dir }}" - create_home: false - state: "present" - register: "result" - -- name: "Save redis user uid" - set_fact: - redis_user_uid: "{{ result.uid }}" - -- name: "Create directories" - file: - path: "{{item.path}}" - state: "directory" - owner: "{{ sram_redis_user }}" - group: "{{ sram_redis_group }}" - mode: "{{item.mode}}" - with_items: - - { path: "{{sram_redis_conf_dir}}", mode: "0755" } - - { path: "{{sram_redis_data_dir}}", mode: "0755" } - -- name: "Create redis config" - template: - src: "redis.conf.j2" - dest: "{{ sram_redis_conf_dir }}/redis.conf" - owner: "{{ sram_redis_user }}" - group: "{{ sram_redis_group }}" - mode: "0644" - notify: "Restart redis container" - -- name: "Pull redis image" - community.docker.docker_image_pull: - name: "{{ sram_redis_image }}" - register: "redis_image" - -- name: "Create redis container" - community.docker.docker_container: - name: "sram-redis" - image: "{{ sram_redis_image }}" - restart_policy: "always" - state: "started" - restart: "{{ redis_image is changed }}" - user: "{{ redis_user_uid }}:{{ redis_group_gid }}" - command: | - redis-server /usr/local/etc/redis/redis.conf - volumes: - - "{{ sram_redis_conf_dir }}:/usr/local/etc/redis" - - "{{ sram_redis_data_dir }}:/data" - networks: - # TODO: Should this not be parametrized? - - name: loadbalancer diff --git a/roles/sram_redis/templates/redis.conf.j2 b/roles/sram_redis/templates/redis.conf.j2 deleted file mode 100644 index 14d3ef177..000000000 --- a/roles/sram_redis/templates/redis.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -user {{ sram_redis_redis_user }} on +@all ~* &* >{{ sram_redis_redis_password }} -maxmemory {{ sram_redis_max_memory }} -maxmemory-policy allkeys-lru diff --git a/roles/sram_sbs/defaults/main.yml b/roles/sram_sbs/defaults/main.yml deleted file mode 100644 index 4c34c113f..000000000 --- a/roles/sram_sbs/defaults/main.yml +++ /dev/null @@ -1,163 +0,0 @@ ---- -sram_sbs_base_domain: "test2.sram.surf.nl" -sram_sbs_ansible_nolog: true -sram_sbs_base_url: "https://{{ sram_sbs_base_domain }}" -sram_sbs_server_image: "ghcr.io/surfscz/sram-sbs-server:main" -sram_sbs_client_image: "ghcr.io/surfscz/sram-sbs-client:main" - -sram_sbs_openidc_timeout: 86400 -sram_sbs_sram_conf_dir: "{{ current_release_appdir }}/sram" - -sram_sbs_work_dir: "{{ sram_sbs_sram_conf_dir }}/sbs" -sram_sbs_git_dir: "{{ sram_sbs_work_dir }}/sbs" -sram_sbs_env_dir: "{{ sram_sbs_work_dir }}/sbs-env" -sram_sbs_conf_dir: "{{ sram_sbs_work_dir }}/config" -sram_sbs_log_dir: "{{ sram_sbs_work_dir }}/log" -sram_sbs_apache_conf: "{{ sram_sbs_work_dir }}/sbs.conf" -sram_sbs_nginx_conf: "{{ sram_sbs_work_dir }}/nginx.conf" - -sram_sbs_db_name: "sbs" -sram_sbs_db_user: "sbsrw" -sram_sbs_migration_user: "sbsmigrate" - -sram_sbs_db_connection: "\ - mysql+mysqldb://%s:%s@{{ mariadb_host }}/{{ sram_sbs_db_name }}\ - ?ssl=true&charset=utf8mb4" -sram_sbs_db_connection_sbs: "{{ sram_sbs_db_connection | format(sram_sbs_db_user, mysql_passwords.sbs) }}" -sram_sbs_db_connection_migration: "\ - {{ sram_sbs_db_connection | format(sram_sbs_migration_user, mysql_passwords.sbsmigrate) }}" - -sram_sbs_db_secret: secret -sram_sbs_secret_key_suffix: suffix -sram_sbs_encryption_key: encryption_key - -sram_sbs_redis_host: sram-redis -sram_sbs_redis_port: 6379 -sram_sbs_redis_ssl: false -sram_sbs_redis_user: default - -sram_sbs_mail_host: "host.docker.internal" -sram_sbs_mail_port: 25 - -sram_sbs_user: "sbs" -sram_sbs_group: "sbs" - -sram_sbs_session_lifetime: 1440 - -sram_sbs_oidc_crypto_password: "CHANGEME" -sram_sbs_uid_attribute: "sub" - -sram_sbs_disclaimer_color: "#a29c13" -sram_sbs_disclaimer_label: wsgi - -sram_sbs_urn_namespace: "urn:example:sbs" -sram_sbs_eppn_scope: "sbs.example.edu" -sram_sbs_restricted_co_default_org: "example.org" - -sram_sbs_mail_sender_name: "SURF" -sram_sbs_mail_sender_email: "no-reply@localhost" -sram_sbs_exceptions_mail: "root@localhost" - -sram_sbs_support_email: "sram-support@localhost" -sram_sbs_admin_email: "sram-beheer@localhost" -sram_sbs_ticket_email: "sram-support@surf.nl" -sram_sbs_eduteams_email: "eduteams@localhost" - -sram_sbs_suppress_mails: False - -sram_sbs_wiki_link: "https://www.example.org/wiki" - -sram_sbs_cron_hour_of_day: 4 -sram_sbs_seed_allowed: True -sram_sbs_api_keys_enabled: True -sram_sbs_feedback_enabled: True -sram_sbs_audit_trail_notifications_enabled: True -sram_sbs_send_exceptions: False -sram_sbs_send_js_exceptions: False -sram_sbs_second_factor_authentication_required: True -sram_sbs_totp_token_name: "SRAM-example" -sram_sbs_notifications_enabled: True -sram_sbs_invitation_reminders_enabled: True -sram_sbs_invitation_expirations_enabled: True -sram_sbs_open_requests_enabled: True -sram_sbs_scim_sweep: False -sram_sbs_impersonation_allowed: True -sram_sbs_admin_platform_backdoor_totp: True -sram_sbs_past_dates_allowed: True -sram_sbs_mock_scim_enabled: True -sram_sbs_log_to_stdout: True - -sram_sbs_delete_orphaned: True -sram_sbs_suspension_inactive_days: 365 -sram_sbs_suspension_reminder_days: 14 -sram_sbs_suspension_notify_admin: False - -sram_sbs_oidc_config_url: "http://localhost/.well-known/openid-configuration" -sram_sbs_oidc_authz_endpoint: "http://localhost/OIDC/authorization" -sram_sbs_oidc_token_endpoint: "http://localhost/OIDC/token" -sram_sbs_oidc_userinfo_endpoint: "http://localhost/OIDC/userinfo" -sram_sbs_oidc_jwks_endpoint: "http://localhost/OIDC/jwks.json" -sram_sbs_oidc_redirect_uri: "https://{{sram_sbs_base_domain}}/api/users/resume-session" -sram_sbs_oidc_jwt_audience: "https://localhost" -sram_sbs_continue_eduteams_redirect_uri: "https://localhost/continue" -sram_sbs_oidc_verify_peer: False -sram_sbs_oidc_scopes: - - openid - -sram_sbs_mfa_idp_allowed: false -sram_sbs_eduteams_continue_endpoint: "https://localhost/continue" -sram_sbs_eb_continue_endpoint: "https://engine.(.*)surfconext.nl(.*)" - -sram_sbs_manage_base_enabled: False -sram_sbs_manage_base_url: "https://manage.{{base_domain}}" -sram_sbs_manage_sram_rp_entity_id: "sbs.{{sram_sbs_base_domain}}" -sram_sbs_manage_verify_peer: False - -sram_sbs_idp_metadata_url: "https://metadata.surfconext.nl/signed/2023/edugain-downstream-idp.xml " -# backup_dir: "{{backup_base}}/sbs" - -sram_sbs_swagger_enabled: true - -sram_sbs_ssid_identity_providers: [] -sram_sbs_surf_secure_id: - environment: "unknown.example.org" - sp_entity_id: "https://sbs.{{sram_sbs_base_domain}}" - acs_url: "https://{{sram_sbs_base_domain}}/api/users/acs" - sa_gw_environment: "sa-gw.unknown.example.org" - sa_idp_certificate: | - -----BEGIN CERTIFICATE----- - 12345 - -----END CERTIFICATE----- - priv: | - -----BEGIN RSA PRIVATE KEY----- - abcde - -----END RSA PRIVATE KEY----- - pub: | - -----BEGIN CERTIFICATE----- - 12345 - -----END CERTIFICATE----- - -sram_sbs_ssid_authncontext: "\ - http://{{ sram_sbs_surf_secure_id.environment }}/assurance/sfo-level2" -sram_sbs_ssid_entityid: "\ - https://{{ sram_sbs_surf_secure_id.sa_gw_environment }}/second-factor-only/metadata" -sram_sbs_ssid_sso_endpoint: "\ - https://{{ sram_sbs_surf_secure_id.sa_gw_environment }}/second-factor-only/single-sign-on" - -sram_sbs_mfa_sso_minutes: 10 -sram_sbs_mfa_fallback_enabled: true - -sram_sbs_ldap_url: "ldap://ldap.example.com/dc=example,dc=com" -sram_sbs_ldap_bind_account: "cn=admin,dc=entity_id,dc=services,dc=sram-tst,dc=surf,dc=nl" - -sram_sbs_csp_style_hashes: - - 'sha256-0+ANsgYUJdh56RK8gGvTF2vnriYqvFHfWqtA8xXa+bA=' - - 'sha256-3SnfHQolDHbZMbDAPmhrZf1keHiXfj/KJyh2phhFAAY=' - - 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' - - 'sha256-Ng6y+QCkPChG4Q49SIfXB5ToIDcDhITtQNFkDBPpCTw=' - - 'sha256-orBPipbqpMvkNi+Z+m6qEn0XS6ymmAQE6+FwCNs1FbQ=' - - 'sha256-vFt3L2qLqpJmRpcXGbYr2UVSmgSp9VCUzz2lnqWIATw=' - - 'sha256-SU3XCwbQ/8qgzoGOWCYdkwIr3xRrl5rsvdFcpw8NSiE=' # on /new-service-request - - 'sha256-WTC9gHKjIpzl5ub1eg/YrRy/k+jlzeyRojah9dxAApc=' # on /new-service-request - -sram_sbs_engine_block_api_token: secret diff --git a/roles/sram_sbs/files/yarn.gpg b/roles/sram_sbs/files/yarn.gpg deleted file mode 100644 index 3e9e7d155..000000000 --- a/roles/sram_sbs/files/yarn.gpg +++ /dev/null @@ -1,243 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1 - -mQINBFf0j5oBEADS6cItqCbf4lOLICohq2aHqM5I1jsz3DC4ddIU5ONbKXP1t0wk -FEUPRzd6m80cTo7Q02Bw7enh4J6HvM5XVBSSGKENP6XAsiOZnY9nkXlcQAPFRnCn -CjEfoOPZ0cBKjn2IpIXXcC+7xh4p1yruBpOsCbT6BuzA+Nm9j4cpRjdRdWSSmdID -TyMZClmYm/NIfCPduYvNZxZXhW3QYeieP7HIonhZSHVu/jauEUyHLVsieUIvAOJI -cXYpwLlrw0yy4flHe1ORJzuA7EZ4eOWCuKf1PgowEnVSS7Qp7lksCuljtfXgWelB -XGJlAMD90mMbsNpQPF8ywQ2wjECM8Q6BGUcQuGMDBtFihobb+ufJxpUOm4uDt0y4 -zaw+MVSi+a56+zvY0VmMGVyJstldPAcUlFYBDsfC9+zpzyrAqRY+qFWOT2tj29R5 -ZNYvUUjEmA/kXPNIwmEr4oj7PVjSTUSpwoKamFFE6Bbha1bzIHpdPIRYc6cEulp3 -dTOWfp+Cniiblp9gwz3HeXOWu7npTTvJBnnyRSVtQgRnZrrtRt3oLZgmj2fpZFCE -g8VcnQOb0iFcIM7VlWL0QR4SOz36/GFyezZkGsMlJwIGjXkqGhcEHYVDpg0nMoq1 -qUvizxv4nKLanZ5jKrV2J8V09PbL+BERIi6QSeXhXQIui/HfV5wHXC6DywARAQAB -tBxZYXJuIFBhY2thZ2luZyA8eWFybkBkYW4uY3g+iQI5BBMBCAAjBQJX9I+aAhsD -BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQFkawG4blAxB52Q/9FcyGIEK2 -QamDhookuoUGGYjIeN+huQPWmc6mLPEKS2Vahk5jnJKVtAFiaqINiUtt/1jZuhF2 -bVGITvZK79kM6lg42xQcnhypzQPgkN7GQ/ApYqeKqCh1wV43KzT/CsJ9TrI0SC34 -qYHTEXXUprAuwQitgAJNi5QMdMtauCmpK+Xtl/72aetvL8jMFElOobeGwKgfLo9+ -We2EkKhSwyiy3W5TYI1UlV+evyyT+N0pmhRUSH6sJpzDnVYYPbCWa2b+0D/PHjXi -edKcely/NvqyVGoWZ+j41wkp5Q0wK2ybURS1ajfaKt0OcMhRf9XCfeXAQvU98mEk -FlfPaq0CXsjOy8eJXDeoc1dwxjDi2YbfHel0CafjrNp6qIFG9v3JxPUU19hG9lxD -Iv7VXftvMpjJCo/J4Qk+MOv7KsabgXg1iZHmllyyH3TY4AA4VA+mlceiiOHdXbKk -Q3BfS1jdXPV+2kBfqM4oWANArlrFTqtop8PPsDNqh/6SrVsthr7WTvC5q5h/Lmxy -Krm4Laf7JJMvdisfAsBbGZcR0Xv/Vw9cf2OIEzeOWbj5xul0kHT1vHhVNrBNanfe -t79RTDGESPbqz+bTS7olHWctl6TlwxA0/qKlI/PzXfOg63Nqy15woq9buca+uTcS -ccYO5au+g4Z70IEeQHsq5SC56qDR5/FvYyu5Ag0EV/SPmgEQANDSEMBKp6ER86y+ -udfKdSLP9gOv6hPsAgCHhcvBsks+ixeX9U9KkK7vj/1q6wodKf9oEbbdykHgIIB1 -lzY1l7u7/biAtQhTjdEZPh/dt3vjogrJblUEC0rt+fZe325ociocS4Bt9I75Ttkd -nWgkE4uOBJsSllpUbqfLBfYR58zz2Rz1pkBqRTkmJFetVNYErYi2tWbeJ59GjUN7 -w1K3GhxqbMbgx4dF5+rjGs+KI9k6jkGeeQHqhDk+FU70oLVLuH2Dmi9IFjklKmGa -3BU7VpNxvDwdoV7ttRYEBcBnPOmL24Sn4Xhe2MDCqgJwwyohd9rk8neV7GtavVea -Tv6bnzi1iJRgDld51HFWG8X+y55i5cYWaiXHdHOAG1+t35QUrczm9+sgkiKSk1II -TlEFsfwRl16NTCMGzjP5kGCm/W+yyyvBMw7CkENQcd23fMsdaQ/2UNYJau2PoRH/ -m+IoRehIcmE0npKeLVTDeZNCzpmfY18T542ibK49kdjZiK6G/VyBhIbWEFVu5Ll9 -+8GbcO9ucYaaeWkFS8Hg0FZafMk59VxKiICKLZ5he/C4f0UssXdyRYU6C5BH8UTC -QLg0z8mSSL+Wb2iFVPrn39Do7Zm8ry6LBCmfCf3pI99Q/1VaLDauorooJV3rQ5kC -JEiAeqQtLOvyoXIex1VbzlRUXmElABEBAAGJAh8EGAEIAAkFAlf0j5oCGwwACgkQ -FkawG4blAxAUUQ//afD0KLHjClHsA/dFiW+5qVzI8kPMHwO1QcUjeXrB6I3SluOT -rLSPhOsoS72yAaU9hFuq8g9ecmFrl3Skp/U4DHZXioEmozyZRp7eVsaHTewlfaOb -6g7+v52ktYdomcp3BM5v/pPZCnB5rLrH2KaUWbpY6V6tqtCHbF7zftDqcBENJDXf -hiCqS19J08GZFjDEqGDrEj3YEmEXZMN7PcXEISPIz6NYI6rw4yVH8AXfQW6vpPzm -ycHwI0QsVW2NQdcZ6zZt+phm6shNUbN2iDdg3BJICmIvQf8qhO3bOh0Bwc11FLHu -MKuGVxnWN82HyIsuUB7WDLBHEOtg61Zf1nAF1PQK52YuQz3EWI4LL9OqVqfSTY1J -jqIfj+u1PY2UHrxZfxlz1M8pXb1grozjKQ5aNqBKRrcMZNx71itR5rv18qGjGR2i -Sciu/xah7zAroEQrx72IjYt03tbk/007CvUlUqFIFB8kY1bbfX8JAA+TxelUniUR -2CY8eom5HnaPpKE3kGXZ0jWkudbWb7uuWcW1FE/bO+VtexpBL3SoXmwbVMGnJIEi -Uvy8m6ez0kzLXzJ/4K4b8bDO4NjFX2ocKdzLA89Z95KcZUxEG0O7kaDCu0x3BEge -uArJLecD5je2/2HXAdvkOAOUi6Gc/LiJrtInc0vUFsdqWCUK5Ao/MKvdMFW5Ag0E -V/SP2AEQALRcYv/hiv1n3VYuJbFnEfMkGwkdBYLGo3hiHKY8xrsFVePl9SkL8aqd -C310KUFNI42gGY/lz54RUHOqfMszTdafFrmwU18ECWGo4oG9qEutIKG7fkxcvk2M -tgsOMZFJqVDS1a9I4QTIkv1ellLBhVub9S7vhe/0jDjXs9IyOBpYQrpCXAm6SypC -fpqkDJ4qt/yFheATcm3s8ZVTsk2hiz2jnbqfvpte3hr3XArDjZXr3mGAp3YY9JFT -zVBOhyhT/92e6tURz8a/+IrMJzhSyIDel9L+2sHHo9E+fA3/h3lg2mo6EZmRTuvE -v9GXf5xeP5lSCDwS6YBXevJ8OSPlocC8Qm8ziww6dy/23XTxPg4YTkdf42i7VOpS -pa7EvBGne8YrmUzfbrxyAArK05lo56ZWb9ROgTnqM62wfvrCbEqSHidN3WQQEhMH -N7vtXeDPhAd8vaDhYBk4A/yWXIwgIbMczYf7Pl7oY3bXlQHb0KW/y7N3OZCr5mPW -94VLLH/v+T5R4DXaqTWeWtDGXLih7uXrG9vdlyrULEW+FDSpexKFUQe83a+Vkp6x -GX7FdMC9tNKYnPeRYqPF9UQEJg+MSbfkHSAJgky+bbacz+eqacLXMNCEk2LXFV1B -66u2EvSkGZiH7+6BNOar84I3qJrU7LBD7TmKBDHtnRr9JXrAxee3ABEBAAGJBEQE -GAEIAA8FAlf0j9gCGwIFCQHhM4ACKQkQFkawG4blAxDBXSAEGQEIAAYFAlf0j9gA -CgkQ0QH3iZ1B88PaoA//VuGdF5sjxRIOAOYqXypOD9/Kd7lYyxmtCwnvKdM7f8O5 -iD8oR2Pk1RhYHjpkfMRVjMkaLfxIRXfGQsWfKN2Zsa4zmTuNy7H6X26XW3rkFWpm -dECz1siGRvcpL6NvwLPIPQe7tST72q03u1H7bcyLGk0sTppgMoBND7yuaBTBZkAO -WizR+13x7FV+Y2j430Ft/DOe/NTc9dAlp6WmF5baOZClULfFzCTf9OcS2+bo68oP -gwWwnciJHSSLm6WRjsgoDxo5f3xBJs0ELKCr4jMwpSOTYqbDgEYOQTmHKkX8ZeQA -7mokc9guA0WK+DiGZis85lU95mneyJ2RuYcz6/VDwvT84ooe1swVkC2palDqBMwg -jZSTzbcUVqZRRnSDCe9jtpvF48WK4ZRiqtGO6Avzg1ZwMmWSr0zHQrLrUMTq/62W -KxLyj2oPxgptRg589hIwXVxJRWQjFijvK/xSjRMLgg73aNTq6Ojh98iyKAQ3HfzW -6iXBLLuGfvxflFednUSdWorr38MspcFvjFBOly+NDSjPHamNQ2h19iHLrYT7t4ve -nU9PvC+ORvXGxTN8mQR9btSdienQ8bBuU/mg/c417w6WbY7tkkqHqUuQC9LoaVdC -QFeE/SKGNe+wWN/EKi0QhXR9+UgWA41Gddi83Bk5deuTwbUeYkMDeUlOq3yyemcG -VxAA0PSktXnJgUj63+cdXu7ustVqzMjVJySCKSBtwJOge5aayonCNxz7KwoPO34m -Gdr9P4iJfc9kjawNV79aQ5aUH9uU2qFlbZOdO8pHOTjy4E+J0wbJb3VtzCJc1Eaa -83kZLFtJ45Fv2WQQ2Nv3Fo+yqAtkOkaBZv9Yq0UTaDkSYE9MMzHDVFx11TT21NZD -xu2QiIiqBcZfqJtIFHN5jONjwPG08xLAQKfUNROzclZ1h4XYUT+TWouopmpNeay5 -JSNcp5LsC2Rn0jSFuZGPJ1rBwB9vSFVA/GvOj8qEdfhjN3XbqPLVdOeChKuhlK0/ -sOLZZG91SHmT5SjP2zM6QKKSwNgHX4xZt4uugSZiY13+XqnrOGO9zRH8uumhsQmI -eFEdT27fsXTDTkWPI2zlHTltQjH1iebqqM9gfa2KUt671WyoL1yLhWrgePvDE+He -r002OslvvW6aAIIBki3FntPDqdIH89EEB4UEGqiA1eIZ6hGaQfinC7/IOkkm/mEa -qdeoI6NRS521/yf7i34NNj3IaL+rZQFbVWdbTEzAPtAs+bMJOHQXSGZeUUFrEQ/J -ael6aNg7mlr7cacmDwZWYLoCfY4w9GW6JHi6i63np8EA34CXecfor7cAX4XfaokB -XjyEkrnfV6OWYS7f01JJOcqYANhndxz1Ph8bxoRPelf5q+W5Ag0EWBU7dwEQAL1p -wH4prFMFMNV7MJPAwEug0Mxf3OsTBtCBnBYNvgFB+SFwKQLyDXUujuGQudjqQPCz -/09MOJPwGCOi0uA0BQScJ5JAfOq33qXi1iXCj9akeCfZXCOWtG3Izc3ofS6uee7K -fWUF1hNyA3PUwpRtM2pll+sQEO3y/EN7xYGUOM0mlCawrYGtxSNMlWBlMk/y5HK9 -upz+iHwUaEJ4PjV+P4YmDq0PnPvXE4qhTIvxx0kO5oZF0tAJCoTg1HE7o99/xq9Z -rejDR1JJj6btNw1YFQsRDLxRZv4rL9He10lmLhiQE8QN7zOWzyJbRP++tWY2d2zE -yFzvsOsGPbBqLDNkbb9d8Bfvp+udG13sHAEtRzI2UWe5SEdVHobAgu5l+m10WlsN -TG/L0gJe1eD1bwceWlnSrbqw+y+pam9YKWqdu18ETN6CeAbNo4w7honRkcRdZyoG -p9zZf3o1bGBBMla6RbLuJBoRDOy2Ql7B+Z87N0td6KlHI6X8fNbatbtsXR7qLUBP -5oRb6nXX4+DnTMDbvFpE2zxnkg+C354Tw5ysyHhM6abB2+zCXcZ3holeyxC+BUrO -gGPyLH/s01mg2zmttwC1UbkaGkQ6SwCoQoFEVq9Dp96B6PgZxhEw0GMrKRw53LoX -4rZif9Exv6qUFsGY8U9daEdDPF5UHYe7t/nPpfW3ABEBAAGJBD4EGAEIAAkFAlgV -O3cCGwICKQkQFkawG4blAxDBXSAEGQEIAAYFAlgVO3cACgkQRsITDf0kl/VynQ/+ -P3Vksu4fno26vA7ml9bzV3mu/X/gzU1HqySqYv9Zwzk2o512Z4QkoT/8lRepIG7v -AFRQzPn56Pz/vpMfiMDaf6thxs8wpv4y3m+rcQIQKO4sN3wwFPPbvM8wGoY6fGav -IkLKKIXy1BpzRGltGduf0c29+ycvzccQpyuTrZk4Zl73kLyBS8fCt+MZWejMMolD -uuLJiHbXci6+Pdi3ImabyStbNnJYmSyruNHcLHlgIbyugTiAcdTy0Bi/z8MfeYwj -VAwEkX4b2NwtuweYLzupBOTv0SqYCmBduZObkS5LHMZ+5Yh9Hfrd04uMdO5cIiy0 -AsGehTRC3Xyaea7Qk993rNcGEzX7LNB1GB2BXSq9FYPb+q0ewf8k8Lr9E0WG0dvD -OaJSkSGedgdA1QzvTgpAAkVWsXlksShVf4NVskxNUGDRaPLeRB+IV/5jO+kRsFuO -g5Tlkn6cgu1+Bn5gIfv0ny9K7TeC697gRQIcK8db1t8XidgSKbRmsSYEaRCy3c9x -w2/N7DLU/Js3gV8FUd7cZpaYN+k/erMdyfqLA7oFd+HLbA5Du/971yF8/6Bof8zp -jB9+QPRIARpcROEcQXz09dtl8wW8M0r09xpna+0Jk6JxF+stD97+hzikQXIxUtCX -j35ps9USSxv1cuz0MaFdWGW13OugtN4bQ2DNgelbTDUEKg//YTbBl9oGYQxHv9S5 -qvZVNvV3DuI18E5VW5ddyo/JfW24+Tukli/ZjPQYnMOP86nnIqo/LPGb4nV1uWL4 -KhmOCbH7t43+TkAwdwoxLjYP7iOqQp9VRPFjomUfvtmLjHp4r3cVEt5QeJEZLiSC -zSKMjPKqRMo5nNs3Et+/FyWCMRYdSggwhBfkbKKo44H9pmL3bTLqyir7EJAcArla -zjKMyZqRsK3gZfQgoASN5xAhemVWHnnecVSAqrOW599EBkc7Kf6lXjTVHtHN02vX -YYRZ16zrEjrfwb23LR+lAxSfWxLDovKLBg2SPbpduEv1GxyEFgF7v9fco4aQbuh/ -fOGvA8nuXkC5nI6ukw4c4zwmJ5+SNQthFUYKWLd4hR4qrCoJkMEWZmsCRtqxjVCJ -/i9ygRJHOGAWaam7bS+U7pdmq2mgF+qTxb2vX6mSzI3q3M7drGUA3EdaZo1hPA5u -kWi7tMCGqPQmtUFRnUvHPzCDuXLYT8lRxhTxDi3T5MXdIUlAUTcNpwG8Ill0xkGc -pMlh0D5p44GEdMFfJiXw6AUETHcqC2qZr2rP9kpzvVlapIrsPRg/DU+s70YnccI3 -iMCVm4/WrghFeK232zkjiwRVOm+IEWBlDFrm4MMjfguUeneYbK9WhqJnss9nc4QK -Vhzuyn3GTtg1w/T6CaYVXBjcHFmJBEQEGAEIAA8CGwIFAlokZSMFCQQWmKMCKcFd -IAQZAQgABgUCWBU7dwAKCRBGwhMN/SSX9XKdD/4/dWSy7h+ejbq8DuaX1vNXea79 -f+DNTUerJKpi/1nDOTajnXZnhCShP/yVF6kgbu8AVFDM+fno/P++kx+IwNp/q2HG -zzCm/jLeb6txAhAo7iw3fDAU89u8zzAahjp8Zq8iQsoohfLUGnNEaW0Z25/Rzb37 -Jy/NxxCnK5OtmThmXveQvIFLx8K34xlZ6MwyiUO64smIdtdyLr492LciZpvJK1s2 -cliZLKu40dwseWAhvK6BOIBx1PLQGL/Pwx95jCNUDASRfhvY3C27B5gvO6kE5O/R -KpgKYF25k5uRLkscxn7liH0d+t3Ti4x07lwiLLQCwZ6FNELdfJp5rtCT33es1wYT -Nfss0HUYHYFdKr0Vg9v6rR7B/yTwuv0TRYbR28M5olKRIZ52B0DVDO9OCkACRVax -eWSxKFV/g1WyTE1QYNFo8t5EH4hX/mM76RGwW46DlOWSfpyC7X4GfmAh+/SfL0rt -N4Lr3uBFAhwrx1vW3xeJ2BIptGaxJgRpELLdz3HDb83sMtT8mzeBXwVR3txmlpg3 -6T96sx3J+osDugV34ctsDkO7/3vXIXz/oGh/zOmMH35A9EgBGlxE4RxBfPT122Xz -BbwzSvT3Gmdr7QmTonEX6y0P3v6HOKRBcjFS0JePfmmz1RJLG/Vy7PQxoV1YZbXc -66C03htDYM2B6VtMNQkQFkawG4blAxCiVRAAhq/1L5YlsmItiC6MROtPP+lfAWRm -MSkoIuAtzkV/orqPetwWzjYLgApOvVXBuf9FdJ5vAx1IXG3mDx6mQQWkr4t9onwC -UuQ7lE29qmvCHB3FpKVJPKiGC6xK38t5dGAJtbUMZBQb1vDuQ7new8dVLzBSH1VZ -7gx9AT+WEptWznb1US1AbejO0uT8jsVc/McK4R3LQmVy9+hbTYZFz1zCImuv9SCN -ZPSdLpDe41QxcMfKiW7XU4rshJULKd4HYG92KjeJU80zgCyppOm85ENiMz91tPT7 -+A4O7XMlOaJEH8t/2SZGBE/dmHjSKcWIpJYrIZKXTrNv7rSQGvweNG5alvCAvnrL -J2cRpU1Rziw7auEU1YiSse+hQ1ZBIzWhPMunIdnkL/BJunBTVE7hPMMG7alOLy5Z -0ikNytVewasZlm/dj5tEsfvF7tisVTZWVjWCvEMTP5fecNMEAwbZdBDyQBAN00y7 -xp4Pwc/kPLuaqESyTTt8jGek/pe7/+6fu0GQmR2gZKGagAxeZEvXWrxSJp/q81XS -QGcO6QYMff7VexY3ncdjSVLro+Z3ZtYt6aVIGAEEA5UE341yCGIeN+nr27CXD4fH -F28aPh+AJzYh+uVjQhHbL8agwcyCMLgU88u1U0tT5Qtjwnw+w+3UNhROvn495REp -eEwD60iVeiuF5FW5Ag0EWbWWowEQALCiEk5Ic40W7/v5hqYNjrRlxTE/1axOhhzt -8eCB7eOeNOMQKwabYxqBceNmol/guzlnFqLtbaA6yZQkzz/K3eNwWQg7CfXO3+p/ -dN0HtktPfdCk+kY/t7StKRjINW6S9xk9KshiukmdiDq8JKS0HgxqphBB3tDjmo6/ -RiaOEFMoUlXKSU+BYYpBpLKg53P8F/8nIsK2aZJyk8XuBd0UXKI+N1gfCfzoDWnY -Hs73LQKcjrTaZQauT81J7+TeWoLI28vkVxyjvTXAyjSBnhxTYfwUNGSoawEXyJ1u -KCwhIpklxcCMI9Hykg7sKNsvmJ4uNcRJ7cSRfb0g5DR9dLhR+eEvFd+o4PblKk16 -AI48N8Zg1dLlJuV2cAtl0oBPk+tnbZukvkS5n1IzTSmiiPIXvK2t506VtfFEw4iZ -rJWf2Q9//TszBM3r1FPATLH7EAeG5P8RV+ri7L7NvzP6ZQClRDUsxeimCSe8v/t0 -OpheCVMlM9TpVcKGMw8ig/WEodoLOP4iqBs4BKR7fuydjDqbU0k/sdJTltp7IIdK -1e49POIQ7pt+SUrsq/HnPW4woLC1WjouBWyr2M7/a0SldPidZ2BUAK7O9oXosidZ -MJT7dBp3eHrspY4bdkSxsd0nshj0ndtqNktxkrSFRkoFpMz0J/M3Q93CjdHuTLpT -HQEWjm/7ABEBAAGJBEQEGAEIAA8FAlm1lqMCGwIFCQJ2LQACKQkQFkawG4blAxDB -XSAEGQEIAAYFAlm1lqMACgkQ4HTRbrb/TeMpDQ//eOIsCWY2gYOGACw42JzMVvuT -DrgRT4hMhgHCGeKzn1wFL1EsbSQV4Z6pYvnNayuEakgIz14wf4UFs5u1ehfBwatm -akSQJn32ANcAvI0INAkLEoqqy81mROjMc9FFrOkdqjcN7yN0BzH9jNYL/gsvmOOw -Ou+dIH3C1Lgei844ZR1BZK1900mohuRwcji0sdROMcrKrGjqd4yb6f7yl0wbdAxA -3IHT3TFGczC7Y41P2OEpaJeVIZZgxkgQsJ14qK/QGpdKvmZAQpjHBipeO/H+qxyO -T5Y+f15VLWGOOVL090+ZdtF7h3m4X2+L7xWsFIgdOprfO60gq3e79YFfgNBYU5BG -tJGFGlJ0sGtnpzx5QCRka0j/1E5lIu00sW3WfGItFd48hW6wHCloyoi7pBR7xqSE -oU/U5o7+nC8wHFrDYyqcyO9Q3mZDw4LvlgnyMOM+qLv/fNgO9USE4T30eSvc0t/5 -p1hCKNvyxHFghdRSJqn70bm6MQY+kd6+B/k62Oy8eCwRt4PR+LQEIPnxN7xGuNpV -O1oMyhhO41osYruMrodzw81icBRKYFlSuDOQ5jlcSajc6TvF22y+VXy7nx1q/CN4 -tzB/ryUASU+vXS8/QNM6qI/QbbgBy7VtHqDbs2KHp4cP0j9KYQzMrKwtRwfHqVrw -FLkCp61EHwSlPsEFiglpMg/8DQ92O4beY0n7eSrilwEdJg89IeepTBm1QYiLM33q -WLR9CABYAIiDG7qxviHozVfX6kUwbkntVpyHAXSbWrM3kD6jPs3u/dimLKVyd29A -VrBSn9FC04EjtDWsj1KB7HrFN4oo9o0JLSnXeJb8FnPf3MitaKltvj/kZhegozIs -+zvpzuri0LvoB4fNA0T4eAmxkGkZBB+mjNCrUHIakyPZVzWGL0QGsfK1Q9jvw0OE -rqHJYX8A1wLre/HkBne+e5ezS6Mc7kFW33Y1arfbHFNAe12juPsOxqK76qNilUbQ -pPtNvWP3FTpbkAdodMLq/gQ+M5yHwPe8SkpZ8wYCfcwEemz/P+4QhQB8tbYbpcPx -J+aQjVjcHpsLdrlSY3JL/gqockR7+97GrCzqXbgvsqiWr16Zyn6mxYWEHn9HXMh3 -b+2IYKFFXHffbIBq/mfibDnZtQBrZpn2uyh6F2ZuOsZh0LTD7RL53KV3fi90nS00 -Gs1kbMkPycL1JLqvYQDpllE2oZ1dKDYkwivGyDQhRNfERL6JkjyiSxfZ2c84r2HP -gnJTi/WBplloQkM+2NfXrBo6kLHSC6aBndRKk2UmUhrUluGcQUyfzYRFH5kVueIY -fDaBPus9gb+sjnViFRpqVjefwlXSJEDHWP3Cl2cuo2mJjeDghj400U6pjSUW3bIC -/PK5Ag0EXCxEEQEQAKVjsdljwPDGO+48879LDa1d7GEu/Jm9HRK6INCQiSiS/0mH -keKa6t4DRgCY2ID9lFiegx2Er+sIgL0chs16XJrFO21ukw+bkBdm2HYUKSsUFmr/ -bms8DkmAM699vRYVUAzO9eXG/g8lVrAzlb3RT7eGHYKd15DT5KxXDQB+T+mWE9qD -5RJwEyPjSU+4WjYF+Rr9gbSuAt5UySUb9jTR5HRNj9wtb4YutfP9jbfqy8esQVG9 -R/hpWKb2laxvn8Qc2Xj93qNIkBt/SILfx9WDJl0wNUmu+zUwpiC2wrLFTgNOpq7g -9wRPtg5mi8MXExWwSF2DlD54yxOOAvdVACJFBXEcstQ3SWg8gxljG8eLMpDjwoIB -ax3DZwiYZjkjJPeydSulh8vKoFBCQkf2PcImXdOk2HqOV1L7FROM6fKydeSLJbx1 -7SNjVdQnq1OsyqSO0catAFNptMHBsN+tiCI29gpGegaoumV9cnND69aYvyPBgvdt -mzPChjSmc6rzW1yXCJDm2qzwm/BcwJNXW5B3EUPxc0qSWste9fUna0G4l/WMuaIz -VkuTgXf1/r9HeQbjtxAztxH0d0VgdHAWPDkUYmztcZ4sd0PWkVa18qSrOvyhI96g -CzdvMRLX17m1kPvP5PlPulvqizjDs8BScqeSzGgSbbQVm5Tx4w2uF4/n3FBnABEB -AAGJBEQEGAECAA8FAlwsRBECGwIFCQIKEgACKQkQFkawG4blAxDBXSAEGQECAAYF -AlwsRBEACgkQI+cWZ4i2Ph6B0g//cPis3v2M6XvAbVoM3GIMXnsVj1WAHuwA/ja7 -UfZJ9+kV/PiMLkAbW0fBj0/y0O3Ry12VVQGXhC+Vo4j6C8qwFP4OXa6EsxHXuvWM -IztBaX1Kav613aXBtxp6tTrud0FFUh4sDc1RREb3tMr6y5cvFJgnrdWcX1gsl6OD -cgWBGNc6ZX7H7j48hMR6KmNeZocW7p8W+BgDQJqXYwVNL15qOHzVAh0dWsFLE9gw -BTmDCY03x9arxSNDGCXyxt6E77LbNVIoSRlEbkvi6j33nEbuERICYl6CltXQCyiV -KjheJcLMjbgv5+bLCv2zfeJ/WyOmOGKpHRu+lBV1GvliRxUblVlmjWPhYPBZXGyj -II16Tqr+ilREcZFW+STccbrVct75JWLbxwlEmix+W1HwSRCR+KHx3Cur4ZPMOBlP -sFilOOsNa7ROUB56t7zv21Ef3BeeaCd9c4kzNGN8d1icEqSXoWWPqgST0LZPtZyq -WZVnWrHChVHfrioxhSnw8O3wY1A2GSahiCSvvjvOeEoJyU21ZMw6AVyHCh6v42oY -adBfGgFwNo5OCMhNxNy/CcUrBSDqyLVTM5QlNsT75Ys7kHHnc+Jk+xx4JpiyNCz5 -LzcPhlwpqnJQcjJdY1hDhK75Ormj/NfCMeZ8g1aVPX4xEq8AMyZYhZ5/lmM+13Rd -v8ZW6FK7HQ/+IAKzntxOjw0MzCXkksKdmIOZ2bLeOVI8aSLaUmoT5CLuoia9g7iF -HlYrSY+01riRrAaPtYx0x8onfyVxL9dlW/Fv5+qc1fF5FxdhyIgdqgzm82TnXHu/ -haUxYmUvNrbsmmNl5UTTOf+YQHMccKFdYfZ2rCBtbN2niXG1tuz2+k83pozu4mJ1 -rOOLNAsQoY3yR6OODte1FyOgp7blwDhTIoQb8/UiJ7CMBI3OPrfoXFAnhYoxeRSA -N4UFu9/HIkqfaQgRPCZS1gNerWF6r6yz9AZWUZqjSJssjBqXCtK9bGbTYBZk+pw3 -H9Nd0RJ2WJ9qPqmlmUr1wdqct0ChsJx1xAT86QrssicJ/HFFmF45hlnGkHUBWLaV -Jt8YkLb/DqOIbVbwyCLQtJ80VQLEeupfmu5QNsTpntRYNKf8cr00uc8vSYXYFRxa -5H5oRT1eoFEEjDDvokNnHXfT+Hya44IjYpzaqvAgeDp6sYlOdtWIv/V3s+trxACw -TkRN7zw3lLTbT8PK9szK0fYZ5KHG1/AKH+mbZ6qNc/25PNbAFRtttLGuEIC3HJ12 -IAp2JdjioeD2OnWLu4ZeCT2CKKFsleZPrSyCrn3gyZPmfYvv5h2JbQNO6uweOrZE -NWX5SU43OBoplbuKJZsMP6p6NahuGnIeJLlv509JYAf/HN4ARyvvOpO5Ag0EXDf1 -bwEQAKBByJMoxQ7H6AsQP29qjY8/pfDiNloQDHasUXoOyTfUetam3rY/UWCHFrMD -0jvOHNIqEVJPsSWrxBYf+i4NNECsCSj39JHdVLOkn6pJcRnMzmljS8ojOybYRUTT -KdKlV+jYy6hqAjTvnf/pzZOrNseKyxAo/xETphN2UEBKOZwV5j5YV6VXptt6xn1x -EL1wzahZr6qz/gXn5//mg6aPPUCJt7BPBtC34HGoyHUn4Cx/jSU7zlQLV11VyTyt -/TY69Wgc1k21oS0tm44uw8D+4bIXYewxNq0utt75c75JK5rPKCpIkaSgE3YUPAhM -fpoUxSgo+hrTaocLbQm3/fDfRqYhw9IWrOuWLYEEI5NqS0etq2X+nM2oEXymxUM1 -45dicUv27B1YU5IciRaoA3Bwkl3uyvLhkwBNgJGpBoRsgyWKhlUpdMOSAFPHag0D -HNCKbFTGxZOJ1+BoDsIscK864AodI0YvhMFByWGRwQMszQpK/vg9uUdIMDYTzI0i -nvCrOht4R91z/2VZXHlv4D38UYsVE5P6u7N8T6T4SzERBKSktWhnJmMRJK5FQQwM -zWCnSj9TGMC5+JYeMjRV1pUwpZw8iOlDg0x8LfMQ3XbZ0/bvlPsXOjiYmHAjrLZf -qL0vR5jPyrfVUxF/XHJBBC9SEvvXrEDK+G+V9NmNavUNrhLnABEBAAGJBEQEGAEC -AA8FAlw39W8CGwIFCQH+NIACKQkQFkawG4blAxDBXSAEGQECAAYFAlw39W8ACgkQ -T3dnk2lHW6p0eg/+K2JJu1RbTSLJPFYQhLcxX+5d2unkuNLIy3kArtZuB992E2Fw -00okPGtuPdSyk2ygh4DeYnwmabIWChi7LDp+YnqcI4GfMxNG6RsHs+A/77rLBST3 -BB1sejZppmKCQZDSC2pvYaZBpS80UvftCZ9RFdY+kTC22Btn/5ekiQOfIqhUH9Cy -GWS/YlGciomVIVn1hSPN8l4EpBCDtceRaephvzjQIZT3AxOfSlpwJviYjAOkSX4q -WyIjC5Ke5kfEOldUuBN1JGAm45tKlrz/LD/+VOc2IWpbkOIAVSldUgpRyiIJQAZ8 -0trNxrJI7ncaID8lAa7pBptJiL0KorRjk3c6Y7p830Nwe0J5e5+W1RzN4wlR8+9u -uRyP8Mcwz/Hz2jwMiv38Vk4tAOe4PYNZuDnpjZ28yCpF3UUgvzjarubFAcg2jd8S -auCQFlmOfvT+1qIMSeLmWBOdlzJTUpJRcZqnkEE4WtiMSlxyWVFvUwOmKSGi8CLo -GW1Ksh9thQ9zKhvVUiVoKn4Z79HXr4pX6rnp+mweJ2dEZtlqD7HxjVTlCHn9fzCl -t/Nt0h721fJbS587AC/ZMgg5GV+GKu6Mij0sPAowUJVCIwN9uK/GHICZEAoMSngP -8xzKnhU5FD38vwBvsqbKxTtICrv2NuwnQ0WBBQ58w5mv2RCMr2W6iegSKIDjwxAA -hDpCw0dlUOodY4omJB19Ra9zIZO5IGxT2+oksks3uWkT/l+I7FY0+YNtIZnC01Ge -RJxJtuDwQXigYEKn1UEJ7ymBKrAdCEY0OC344AffLx81aOYWbbW7XaO6rZn8nyZu -0oC95dGlQQdWYJBLcTwANx50iQQGkR5a+XF87yVciFm6x5Cf78pzJ5OBvN3qLJzN -4YBftPMKIgbozGm6/3I6DDT0SMeCOhamshoBf7Ksqd6N+XUjRHZr7UwprWDJlhSC -XFF1e6tjlf22NwZ9UH29VswFkepT99tfBFpobjbzfABO0YnAj72WcR2ZKP7oYHf7 -EkhI2ssWQ9PRPTwdOSXZDEH0s4cJqO+ZzRoAPE+3hbHlGukAqZiiHRlNpOvPdO6Q -mgVBRsURs5i+4vylfat59HUtzQWbTF1bnZbMlefttb5CHRJNb3PTuxHR562Uzp9/ -/SZfDhAx7SYgwRF+FANWJsvX+I7CbP4qvOzutvIYTsNchbCxrOl+0PxMxWaYZzVb -ZW45mO0LFUNCFqcnr3Sot5e9n0C0vjKBV9XgICHKKgeHaMwOMirb1MKvvMpJ3+NI -BYZJ6d+LyhFXL0xJXccUnEXsmk2h4SBEEZYIhAk9ntRmzOXhXFLAOS8agWlmvYwh -xeeb76cVOYlpLw1utXV9hbuo+oM109vMs73mpF88g4g= -=oMDY ------END PGP PUBLIC KEY BLOCK----- diff --git a/roles/sram_sbs/handlers/main.yml b/roles/sram_sbs/handlers/main.yml deleted file mode 100644 index bc8be505b..000000000 --- a/roles/sram_sbs/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Restart sbs containers - community.docker.docker_container: - name: "{{ item }}" - state: started - restart: true - loop: - - sram-sbs-client - - sram-sbs-server diff --git a/roles/sram_sbs/tasks/main.yml b/roles/sram_sbs/tasks/main.yml deleted file mode 100644 index 9c0d93d80..000000000 --- a/roles/sram_sbs/tasks/main.yml +++ /dev/null @@ -1,153 +0,0 @@ ---- -- name: "Create SBS group" - group: - name: "{{ sram_sbs_group }}" - state: "present" - register: "result" - -- name: "Save SBS group gid" - set_fact: - sbs_group_gid: "{{ result.gid }}" - -- name: "Create SBS user" - user: - name: "{{ sram_sbs_user }}" - group: "{{ sram_sbs_group }}" - comment: "User to run SBS service" - shell: "/bin/false" - password: "!" - home: "{{ sram_sbs_conf_dir }}" - create_home: false - state: "present" - register: "result" - -- name: "Save sbs user uid" - set_fact: - sbs_user_uid: "{{ result.uid }}" - -- name: "Create directories" - file: - path: "{{item.path}}" - state: "directory" - owner: "{{sbs_user_uid}}" - group: "{{sbs_group_gid}}" - mode: "{{item.mode}}" - with_items: - - { path: "{{sram_sbs_work_dir}}", mode: "0755" } - - { path: "{{sram_sbs_conf_dir}}", mode: "0755" } - - { path: "{{sram_sbs_conf_dir}}/saml", mode: "0755" } - - { path: "{{sram_sbs_log_dir}}", mode: "0775" } - -- name: "Fix file permissions" - file: - path: "{{sram_sbs_log_dir}}/{{item}}" - owner: "{{sbs_user_uid}}" - group: "{{sbs_group_gid}}" - mode: "0664" - state: "touch" - modification_time: "preserve" - access_time: "preserve" - with_items: - - "sbs.log" - - "sbs.debug.log" - -- name: "Create SBS config files" - template: - src: "{{item.name}}.j2" - dest: "{{ sram_sbs_conf_dir }}/{{item.name}}" - owner: "{{sbs_user_uid}}" - group: "{{sbs_group_gid}}" - mode: "{{item.mode}}" - with_items: - - { name: "config.yml", mode: "0644" } - - { name: "alembic.ini", mode: "0644" } - - { name: "disclaimer.css", mode: "0644" } - - { name: "sbs-apache.conf", mode: "0644" } - no_log: "{{ sram_sbs_ansible_nolog }}" - notify: "Restart sbs containers" - -- name: "Pull sbs image" - community.docker.docker_image_pull: - name: "{{ item }}" - with_items: - - "{{ sram_sbs_client_image }}" - - "{{ sram_sbs_server_image }}" - register: "sbs_images" - -- name: "Migration" - # For some reason --check breaks this block - when: "sbs_images is changed and not ansible_check_mode" - block: - - name: "Run SBS migrations" - throttle: 1 - community.docker.docker_container: - name: "sram-sbs-migration" - image: "{{ sram_sbs_server_image }}" - pull: "never" - state: "started" - restart_policy: "no" - detach: false - env: - RUNAS_UID: "{{ sbs_user_uid | string }}" - RUNAS_GID: "{{ sbs_group_gid | string }}" - MIGRATIONS_ONLY: "1" - # don't actually run the server - command: "/bin/true" - volumes: - - "{{ sram_sbs_conf_dir }}:/sbs-config" - - "{{ sram_sbs_log_dir }}:/opt/sbs/log" - networks: - # TODO: Should we parametrize this? - - name: "loadbalancer" - register: "result" - failed_when: "'container' not in result or result.container.State.ExitCode != 0" - changed_when: "'[alembic.runtime.migration] Running upgrade' in result.container.Output | default('')" - notify: "Restart sbs containers" - - # Remove the migration container; we can't do that with auto_remove, - # because if we use that, ansible will not save the output in result - - name: "Remove migration container" - community.docker.docker_container: - name: "sram-sbs-migration" - state: "absent" - -- name: "Start sbs client container" - community.docker.docker_container: - name: "sram-sbs-client" - image: "{{ sram_sbs_client_image }}" - pull: "never" - restart_policy: "always" - state: "started" - restart: "{{ sbs_images is changed}}" - volumes: - - "{{ sram_sbs_conf_dir }}/sbs-apache.conf:/etc/apache2/sites-enabled/sbs.conf:ro" - - "{{ sram_sbs_conf_dir }}/disclaimer.css:/opt/sbs/client/dist/disclaimer.css:ro" - networks: - - name: "loadbalancer" - labels: - traefik.http.routers.sbsclient.rule: "Host(`{{ sram_sbs_base_domain }}`)" - traefik.http.routers.sbsclient.tls: "true" - traefik.enable: "true" - -- name: "Start SBS server container" - community.docker.docker_container: - name: "sram-sbs-server" - image: "{{ sram_sbs_server_image }}" - restart_policy: "always" - state: "started" - restart: "{{ sbs_images is changed}}" - env: - RUNAS_UID: "{{ sbs_user_uid | string }}" - RUNAS_GID: "{{ sbs_group_gid | string }}" - CONFIG: "/opt/sbs/server/config/config.yml" - REQUESTS_CA_BUNDLE: "/etc/ssl/certs/ca-certificates.crt" - RUN_MIGRATIONS: "0" - pull: "never" - volumes: - - "{{ sram_sbs_conf_dir }}:/sbs-config" - - "{{ sram_sbs_log_dir }}:/opt/sbs/log" - - "/tmp/ci-runner:/tmp/ci-runner" - networks: - - name: "loadbalancer" - etc_hosts: - host.docker.internal: host-gateway diff --git a/roles/sram_sbs/templates/alembic.ini.j2 b/roles/sram_sbs/templates/alembic.ini.j2 deleted file mode 100644 index e6049eebb..000000000 --- a/roles/sram_sbs/templates/alembic.ini.j2 +++ /dev/null @@ -1,72 +0,0 @@ -# A generic, single database configuration. - -[alembic] -# path to migration scripts -script_location = migrations - -# template used to generate migration files -# file_template = %%(rev)s_%%(slug)s - -# timezone to use when rendering the date -# within the migration file as well as the filename. -# string value is passed to dateutil.tz.gettz() -# leave blank for localtime -# timezone = - -# max length of characters to apply to the -# "slug" field -#truncate_slug_length = 40 - -# set to 'true' to run the environment during -# the 'revision' command, regardless of autogenerate -# revision_environment = false - -# set to 'true' to allow .pyc and .pyo files without -# a source .py file to be detected as revisions in the -# versions/ directory -# sourceless = false - -# version location specification; this defaults -# to alembic/versions. When using multiple version -# directories, initial revisions must be specified with --version-path -# version_locations = %(here)s/bar %(here)s/bat alembic/versions - -# the output encoding used when revision files -# are written from script.py.mako -# output_encoding = utf-8 - -sqlalchemy.url = {{ sram_sbs_db_connection_migration }} - -# Logging configuration -[loggers] -keys = root,sqlalchemy,alembic - -[handlers] -keys = console - -[formatters] -keys = generic - -[logger_root] -level = NOTSET -handlers = console - -[logger_sqlalchemy] -level = WARN -handlers = -qualname = sqlalchemy.engine - -[logger_alembic] -level = INFO -handlers = -qualname = alembic - -[handler_console] -class = StreamHandler -args = (sys.stderr,) -level = DEBUG -formatter = generic - -[formatter_generic] -format = %(levelname)-5.5s [%(name)s] %(message)s -datefmt = %H:%M:%S diff --git a/roles/sram_sbs/templates/config.yml.j2 b/roles/sram_sbs/templates/config.yml.j2 deleted file mode 100644 index 28dcfe3b4..000000000 --- a/roles/sram_sbs/templates/config.yml.j2 +++ /dev/null @@ -1,256 +0,0 @@ ---- -database: - uri: {{ sram_sbs_db_connection_sbs }} - -redis: - uri: "redis{% if sram_sbs_redis_ssl %}s{% endif %}://{{ sram_sbs_redis_user }}:{{ sram_sbs_redis_password }}@{{ sram_sbs_redis_host }}:{{ sram_sbs_redis_port }}/" - -# add a per-release suffix here to invalidate sessions on new releases -secret_key: {{ sram_sbs_db_secret }}{{ sram_sbs_secret_key_suffix }} -# Must be a base64 encoded key of 128, 192, or 256 bits. -# Generate: base64.b64encode(os.urandom(256 // 8)).decode() -encryption_key: {{ sram_sbs_encryption_key }} - -# Lifetime of session in minutes (one day is 60 * 24) -permanent_session_lifetime: {{ sram_sbs_session_lifetime }} - -logging: - log_to_stdout: {{ sram_sbs_log_to_stdout }} - -# Valid scopes are "READ" and "WRITE" -api_users: -{% for name, user in sram_sbs_api_users.items() %} - - name: "{{ name }}" - password: "{{ user.password }}" - scopes: "[ {{ user.scopes | join(', ') }} ]" -{% endfor %} - -oidc: - client_id: "{{ sram_sbs_oidc_client_id }}" - client_secret: "{{ sram_sbs_oidc_client_secret }}" - audience: "{{ sram_sbs_oidc_jwt_audience }}" - verify_peer: {{ sram_sbs_oidc_verify_peer }} - authorization_endpoint: "{{ sram_sbs_oidc_authz_endpoint}}" - token_endpoint: "{{ sram_sbs_oidc_token_endpoint }}" - userinfo_endpoint: "{{ sram_sbs_oidc_userinfo_endpoint }}" - jwks_endpoint: "{{ sram_sbs_oidc_jwks_endpoint }}" - #Note that the paths for these uri's is hardcoded and only domain and port differ per environment - redirect_uri: "{{ sram_sbs_oidc_redirect_uri }}" - continue_eduteams_redirect_uri: "{{ sram_sbs_eduteams_continue_endpoint }}" - continue_eb_redirect_uri: "{{ sram_sbs_eb_continue_endpoint }}" - second_factor_authentication_required: {{ sram_sbs_second_factor_authentication_required }} - totp_token_name: "{{ sram_sbs_totp_token_name }}" - # The service_id in the proxy_authz endpoint when logging into SBS. Most likely to equal the oidc.client_id - sram_service_entity_id: "{{ sram_sbs_oidc_client_id }}" - scopes: {{ sram_sbs_oidc_scopes }} - -base_scope: "{{ base_domain }}" -entitlement_group_namespace: "{{ sram_sbs_urn_namespace }}" -eppn_scope: " {{ sram_sbs_eppn_scope }}" -scim_schema_sram: "urn:mace:surf.nl:sram:scim:extension" -collaboration_creation_allowed_entitlement: "urn:mace:surf.nl:sram:allow-create-co" - -environment_disclaimer: "{{ sram_sbs_disclaimer_label }}" - -# All services in the white list can be requested in the create-restricted-co API -# The default organisation is a fallback for when the administrator has no schac_home_org -restricted_co: - services_white_list: [ "https://cloud" ] - default_organisation: "{{ sram_sbs_restricted_co_default_org }}" - -mail: - host: {{ sram_sbs_mail_host }} - port: {{ sram_sbs_mail_port }} - sender_name: {{ sram_sbs_mail_sender_name }} - sender_email: {{ sram_sbs_mail_sender_email }} - suppress_sending_mails: {{ sram_sbs_suppress_mails }} - info_email: {{ sram_sbs_support_email }} - beheer_email: {{ sram_sbs_admin_email }} - ticket_email: {{ sram_sbs_ticket_email }} - eduteams_email: {{ sram_sbs_eduteams_email }} - # Do we mail a summary of new Organizations and Services to the beheer_email? - audit_trail_notifications_enabled: {{ sram_sbs_audit_trail_notifications_enabled }} - account_deletion_notifications_enabled: True - send_exceptions: {{ sram_sbs_send_exceptions }} - send_js_exceptions: {{ sram_sbs_send_js_exceptions }} - send_exceptions_recipients: [ "{{ sram_sbs_exceptions_mail }}" ] - environment: "{{ base_domain }}" - -manage: - enabled: {{ sram_sbs_manage_base_enabled }} - # The entity_id of the SRAM RP in Manage for API retrieval, e.g "sbs.test2.sram.surf.nl" - sram_rp_entity_id: "{{ sram_sbs_manage_sram_rp_entity_id }}" - base_url: "{{ sram_sbs_manage_base_url }}" - user: "{{ sram_sbs_manage_user }}" - password: "{{ sram_sbs_manage_password }}" - verify_peer: {{ sram_sbs_manage_verify_peer }} - -aup: - version: 1 - url_aup_en: "https://edu.nl/6wb63" - url_aup_nl: "https://edu.nl/6wb63" - -base_url: {{ sram_sbs_base_url }} -socket_url: {{ sram_sbs_base_url }} -base_server_url: {{ sram_sbs_base_url }} -wiki_link: {{ sram_sbs_wiki_link }} - -admin_users: -{% for admin_user in sram_sbs_admin_users %} - - uid: "{{ admin_user.uid }}" -{% endfor %} - -organisation_categories: - - "HBO" - - "MBO" - - "UMC" - - "University" - - "Research" - - "SURF" - -feature: - seed_allowed: {{ sram_sbs_seed_allowed }} - api_keys_enabled: {{ sram_sbs_api_keys_enabled }} - feedback_enabled: {{ sram_sbs_feedback_enabled }} - impersonation_allowed: {{ sram_sbs_impersonation_allowed }} - sbs_swagger_enabled: {{ sram_sbs_swagger_enabled }} - admin_platform_backdoor_totp: {{ sram_sbs_admin_platform_backdoor_totp }} - past_dates_allowed: {{ sram_sbs_past_dates_allowed }} - mock_scim_enabled: {{ sram_sbs_mock_scim_enabled }} - -metadata: - idp_url: "{{ sram_sbs_idp_metadata_url }}" - parse_at_startup: True - # No need for environment specific values - scope_override: - knaw.nl: "Koninklijke Nederlandse Akademie van Wetenschappen (KNAW)" - -platform_admin_notifications: - # Do we daily check for CO join_requests and CO requests and send a summary mail to beheer_email? - enabled: False - cron_hour_of_day: {{ sram_sbs_cron_hour_of_day }} - # How long before we include open join_requests in the summary - outstanding_join_request_days_threshold: 7 - # How long before we include open CO requests in the summary - outstanding_coll_request_days_threshold: 7 - -user_requests_retention: - # Do we daily check for CO join_requests and CO requests and delete approved and denied? - enabled: {{ sram_sbs_notifications_enabled }} - cron_hour_of_day: {{ sram_sbs_cron_hour_of_day }} - # How long before we delete approved / denied join_requests - outstanding_join_request_days_threshold: 90 - # How long before we delete approved / denied CO requests - outstanding_coll_request_days_threshold: 90 - -# The retention config determines how long users may be inactive, how long the reminder email is valid and when do we resent the magic link -retention: - cron_hour_of_day: {{ sram_sbs_cron_hour_of_day }} - # how many days of inactivity before a user is suspended - # 0 allows for any last_login_date in the past to trigger suspension notification - allowed_inactive_period_days: {{ sram_sbs_suspension_inactive_days }} - # how many days before suspension do we send a warning - # -1 will suspend notified users on second suspension cron - reminder_suspend_period_days: {{ sram_sbs_suspension_reminder_days }} - # how many days after suspension do we delete the account - remove_suspended_users_period_days: 90 - # how many days before deletion do we send a reminder - reminder_expiry_period_days: 7 - # whether to send a notification of the result of the retention process to the beheer_email - admin_notification_mail: {{ sram_sbs_suspension_notify_admin }} - -collaboration_expiration: - # Do we daily check for CO's that will be deleted because they have been expired? - enabled: {{ sram_sbs_notifications_enabled }} - cron_hour_of_day: {{ sram_sbs_cron_hour_of_day }} - # How long after expiration do we actually delete expired collaborations - expired_collaborations_days_threshold: 90 - # How many days before actual expiration do we mail the organisation members - expired_warning_mail_days_threshold: 10 - -collaboration_suspension: - # Do we daily check for CO's that will be suspended because of inactivity? - enabled: {{ sram_sbs_notifications_enabled }} - cron_hour_of_day: {{ sram_sbs_cron_hour_of_day }} - # After how many days of inactivity do we suspend collaborations - collaboration_inactivity_days_threshold: 365 - # How many days before actual suspension do we mail the organisation members - inactivity_warning_mail_days_threshold: 10 - # After how many days after suspension do we actually delete the collaboration - collaboration_deletion_days_threshold: 90 - -membership_expiration: - # Do we daily check for memberships that will be deleted because they have been expired? - enabled: {{ sram_sbs_notifications_enabled }} - cron_hour_of_day: {{ sram_sbs_cron_hour_of_day }} - # How long after expiration do we actually delete expired memberships - expired_memberships_days_threshold: 90 - # How many days before actual expiration do we mail the co admin and member - expired_warning_mail_days_threshold: 10 - -invitation_reminders: - # Do we daily check for invitations that need a reminder? - enabled: {{ sram_sbs_invitation_reminders_enabled }} - cron_hour_of_day: {{ sram_sbs_cron_hour_of_day }} - # How many days before expiration of an invitation do we remind the user? - invitation_reminders_threshold: 5 - -invitation_expirations: - # Do we daily check for invitations that are expired / accepted and are eligible for deletion ? - enabled: {{ sram_sbs_invitation_expirations_enabled }} - cron_hour_of_day: {{ sram_sbs_cron_hour_of_day }} - # How long after expiration of an invitation do we delete the invitation? - nbr_days_remove_expired_invitations: 10 - # How long after expiration of an API created invitation do we delete the invitation? - nbr_days_remove_api_expired_invitations: 30 - -orphan_users: - # Do we daily check for users that are orphans soo they can be deleted? - enabled: {{ sram_sbs_delete_orphaned }} - cron_hour_of_day: {{ sram_sbs_cron_hour_of_day }} - # How long after created do we delete orphan users - delete_days_threshold: 14 - -open_requests: - # Do we weekly check for all open requests? - enabled: {{ sram_sbs_open_requests_enabled }} - cron_day_of_week: 1 - -scim_sweep: - # Do we enable scim sweeps? - enabled: {{ sram_sbs_scim_sweep }} - # How often do we check if scim sweeps are needed per service - cron_minutes_expression: "*/15" - -ldap: - url: "{{ sram_sbs_ldap_url }}" - bind_account: "{{ sram_sbs_ldap_bind_account }}" - -# A MFA login in a different flow is valid for X minutes -mfa_sso_time_in_minutes: {{ sram_sbs_mfa_sso_minutes }} - -# whether to fall back to TOTP MFA -mfa_fallback_enabled: {{ sram_sbs_mfa_fallback_enabled }} - -# Lower case entity ID's and schac_home allowed skipping MFA. -# Note that for a login directly into SRAM only schac_home can be used as the entity_idp of the IdP is unknown -mfa_idp_allowed: {{ sram_sbs_mfa_idp_allowed }} - -# Lower case schachome organisations / entity ID's where SURFSecure ID is used for step-up -ssid_identity_providers: {{ sram_sbs_ssid_identity_providers }} - -ssid_config_folder: saml - -pam_web_sso: - session_timeout_seconds: 300 - -rate_limit_totp_guesses_per_30_seconds: 10 - -# The uid's of user that will never be suspended or deleted -excluded_user_accounts: -{% for excluded_user in sram_sbs_excluded_users %} - - uid: "{{ excluded_user.uid }}" -{% endfor %} - -engine_block: - api_token: {{ sram_sbs_engine_block_api_token }} diff --git a/roles/sram_sbs/templates/disclaimer.css.j2 b/roles/sram_sbs/templates/disclaimer.css.j2 deleted file mode 100644 index ed34bdc09..000000000 --- a/roles/sram_sbs/templates/disclaimer.css.j2 +++ /dev/null @@ -1,6 +0,0 @@ -{% if sram_sbs_disclaimer_label!="" -%} -body::after { - background: {{ sram_sbs_disclaimer_color }}; - content: "{{ sram_sbs_disclaimer_label }}"; -} -{% endif %} diff --git a/roles/sram_sbs/templates/saml_advanced_settings.json.j2 b/roles/sram_sbs/templates/saml_advanced_settings.json.j2 deleted file mode 100644 index 0d03c63d7..000000000 --- a/roles/sram_sbs/templates/saml_advanced_settings.json.j2 +++ /dev/null @@ -1,35 +0,0 @@ -{ - "security": { - "nameIdEncrypted": false, - "authnRequestsSigned": true, - "logoutRequestSigned": false, - "logoutResponseSigned": false, - "signMetadata": false, - "wantMessagesSigned": false, - "wantAssertionsSigned": true, - "wantNameId" : true, - "wantNameIdEncrypted": false, - "wantAttributeStatement": false, - "wantAssertionsEncrypted": false, - "requestedAuthnContext": ["{{ sram_sbs_ssid_authncontext }}"], - "requestedAuthnContextComparison": "minimum", - "failOnAuthnContextMismatch": false, - "allowSingleLabelDomains": false, - "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", - "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256", - "rejectDeprecatedAlgorithm": true - }, - "contactPerson": { - "technical": { - "givenName": "{{ mail.admin_name }}", - "emailAddress": "{{ mail.admin_address }}" - } - }, - "organization": { - "en-US": { - "name": "{{ org.name }}", - "displayname": "{{ org.name }}", - "url": "{{ org.url }}" - } - } -} diff --git a/roles/sram_sbs/templates/saml_settings.json.j2 b/roles/sram_sbs/templates/saml_settings.json.j2 deleted file mode 100644 index 073651110..000000000 --- a/roles/sram_sbs/templates/saml_settings.json.j2 +++ /dev/null @@ -1,22 +0,0 @@ -{ - "strict": true, - "debug": true, - "sp": { - "entityId": "{{ sram_sbs_surf_secure_id.sp_entity_id }}", - "assertionConsumerService": { - "url": "{{ sram_sbs_surf_secure_id.acs_url }}", - "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" - }, - "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", - "x509cert": "{{ sram_sbs_surf_secure_id.pub | barepem }}", - "privateKey": "{{ sram_sbs_surf_secure_id.priv | barepem }}" - }, - "idp": { - "entityId": "{{ sram_sbs_ssid_entityid }}", - "singleSignOnService": { - "url": "{{ sram_sbs_ssid_sso_endpoint }}", - "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" - }, - "x509cert": "{{ sram_sbs_surf_secure_id.sa_idp_certificate | barepem }}" - } -} diff --git a/roles/sram_sbs/templates/sbs-apache.conf.j2 b/roles/sram_sbs/templates/sbs-apache.conf.j2 deleted file mode 100644 index 1d19099eb..000000000 --- a/roles/sram_sbs/templates/sbs-apache.conf.j2 +++ /dev/null @@ -1,33 +0,0 @@ -ServerName {{ sram_sbs_base_domain }} -#ErrorLog /proc/self/fd/2 -#CustomLog /proc/self/fd/1 common -DocumentRoot /opt/sbs/client/dist - -Header set Content-Security-Policy "{{ httpd_csp.sram }}" -Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()" - -RewriteEngine On -RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io) -RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f -RewriteRule ^/(.*)$ /index.html [L] - -ProxyRequests off -ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sram-sbs-server:8080/ -ProxyPassReverse / http://sram-sbs-server:8080/ -ProxyPass /socket.io/ ws://sram-sbs-server:8080/socket.io/ -ProxyPassReverse /socket.io/ ws://sram-sbs-server:8080/socket.io/ - - - Header set Cache-Control "no-cache, private" - - - Header set Cache-Control "public, max-age=31536000, immutable" - - - Header set Cache-Control "no-cache, private" - - - - Require all granted - Options -Indexes -