From a793f59a33a721ec12ab6275a9f3af7876dfa19c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Mar 2025 19:09:07 +0000 Subject: [PATCH] ipsilon: Fix configuration --- roles/ipsilon/README.md | 28 +++++++++++++++++++ .../templates/ipsilon-container.service.j2 | 6 ++-- .../templates/ipsilon-container.sysconfig.j2 | 7 +++-- .../ipsilon/templates/openidc-static.conf.j2 | 4 +-- 4 files changed, 37 insertions(+), 8 deletions(-) create mode 100644 roles/ipsilon/README.md diff --git a/roles/ipsilon/README.md b/roles/ipsilon/README.md new file mode 100644 index 0000000..5e29d18 --- /dev/null +++ b/roles/ipsilon/README.md @@ -0,0 +1,28 @@ +== Creating openidc key == + +Create two rsa keys: +``` +openssl genrsa -out signing.key 4096 +openssl genrsa -out encryption.key 4096 +``` + +Create JWK keys: +``` +python3 -c ' +from datetime import datetime +from jwcrypto.jwk import JWK, JWKSet +keyset = JWKSet() +date = datetime.now().strftime("%Y%m%d") +with open("./signing.key", "r") as key: + jwkkey = JWK.from_pem(key.read().encode("UTF-8")) + jwkkey.update(use="sig") + jwkkey.update(kid=f"{date}-sig") + keyset.add(jwkkey) +with open("./encryption.key", "r") as key: + jwkkey = JWK.from_pem(key.read().encode("UTF-8")) + jwkkey.update(use="enc") + jwkkey.update(kid=f"{date}-enc") + keyset.add(jwkkey) +print(keyset.export()) +' +``` diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 index d3fe6bf..2c08f94 100644 --- a/roles/ipsilon/templates/ipsilon-container.service.j2 +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -10,9 +10,9 @@ ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8011:80 \ --name ipsilon \ --env LDAP_* --env IPSILON_*\ - --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ - --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ - --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ + --volume={{ tls_certs }}/ca.crt:/etc/pki/tls/certs/ca.crt:ro \ + --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/pki/tls/certs/{{ inventory_hostname }}.crt:ro \ + --volume={{ tls_private }}/ipsilon.key:/etc/pki/tls/private/{{ inventory_hostname }}.key:ro \ --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \ --volume=/etc/ipsilon/openidc-static.conf:/etc/ipsilon/root/openidc-static.conf:rw \ ipsilon:latest diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 index 7a4ba72..4150eaf 100644 --- a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -1,10 +1,11 @@ LDAP_BASEDN="{{ ldap_basedn }}" +LDAP_BINDPW="{{ ipsilon_ldap_pass }}" IPSILON_DB_USER="ipsilon" IPSILON_DB_PASS="{{ ipsilon_mysql_pass }}" IPSILON_DB_HOST="sqldb02.home.foo.sh" -IPSILON_DB_CA="/etc/ssl/certs/ca.crt" -IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" -IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt" +IPSILON_DB_CA="{{ tls_certs }}/ca.crt" +IPSILON_DB_KEY="{{ tls_private }}/{{ inventory_hostname }}.key" +IPSILON_DB_CERT="{{ tls_certs }}/{{ inventory_hostname}}.crt" IPSILON_HOSTNAME="idp.foo.sh" IPSILON_OPENIDC_KEYID="{{ ipsilon_openidc_keyid }}" IPSILON_OPENIDC_SALT="{{ ipsilon_openidc_salt }}" diff --git a/roles/ipsilon/templates/openidc-static.conf.j2 b/roles/ipsilon/templates/openidc-static.conf.j2 index a200a3a..f6bb88d 100644 --- a/roles/ipsilon/templates/openidc-static.conf.j2 +++ b/roles/ipsilon/templates/openidc-static.conf.j2 @@ -15,12 +15,12 @@ {{ client["name"] }} jwks_uri=null {{ client["name"] }} logo_uri=null {{ client["name"] }} policy_uri=null -{{ client["name"] }} redirect_uris=["{{ client["redirect_uri"] }}"] +{{ client["name"] }} redirect_uris={{ client["redirect_uris"] | ansible.builtin.to_json }} {{ client["name"] }} request_uris=[] {{ client["name"] }} require_auth_time=null {{ client["name"] }} response_types=["code"] {{ client["name"] }} subject_type="pairwise" {{ client["name"] }} sector_identifier_uri=null -{{ client["name"] }} token_endpoint_auth_method="client_secret_post" +{{ client["name"] }} token_endpoint_auth_method="{{ client["token_endpoint_auth_method"] | default("client_secret_post") }}" {{ client["name"] }} tos_uri=null {% endfor %}