ipsilon: Fix configuration

roles/ipsilon/README.md

@@ -0,0 +1,28 @@
+== Creating openidc key ==
+
+Create two rsa keys:
+```
+openssl genrsa -out signing.key 4096
+openssl genrsa -out encryption.key 4096
+```
+
+Create JWK keys:
+```
+python3 -c '
+from datetime import datetime
+from jwcrypto.jwk import JWK, JWKSet
+keyset = JWKSet()
+date = datetime.now().strftime("%Y%m%d")
+with open("./signing.key", "r") as key:
+    jwkkey = JWK.from_pem(key.read().encode("UTF-8"))
+    jwkkey.update(use="sig")
+    jwkkey.update(kid=f"{date}-sig")
+    keyset.add(jwkkey)
+with open("./encryption.key", "r") as key:
+    jwkkey = JWK.from_pem(key.read().encode("UTF-8"))
+    jwkkey.update(use="enc")
+    jwkkey.update(kid=f"{date}-enc")
+    keyset.add(jwkkey)
+print(keyset.export())
+'
+```

roles/ipsilon/templates/ipsilon-container.service.j2

@@ -10,9 +10,9 @@ ExecStart=/usr/bin/podman run \
     --rm -p 127.0.0.1:8011:80 \
     --name ipsilon \
     --env LDAP_* --env IPSILON_*\
-    --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \
+    --volume={{ tls_certs }}/ca.crt:/etc/pki/tls/certs/ca.crt:ro \
-    --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \
+    --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/pki/tls/certs/{{ inventory_hostname }}.crt:ro \
-    --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \
+    --volume={{ tls_private }}/ipsilon.key:/etc/pki/tls/private/{{ inventory_hostname }}.key:ro \
     --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \
     --volume=/etc/ipsilon/openidc-static.conf:/etc/ipsilon/root/openidc-static.conf:rw \
     ipsilon:latest

roles/ipsilon/templates/ipsilon-container.sysconfig.j2

@@ -1,10 +1,11 @@
 LDAP_BASEDN="{{ ldap_basedn }}"
+LDAP_BINDPW="{{ ipsilon_ldap_pass }}"
 IPSILON_DB_USER="ipsilon"
 IPSILON_DB_PASS="{{ ipsilon_mysql_pass }}"
 IPSILON_DB_HOST="sqldb02.home.foo.sh"
-IPSILON_DB_CA="/etc/ssl/certs/ca.crt"
+IPSILON_DB_CA="{{ tls_certs }}/ca.crt"
-IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key"
+IPSILON_DB_KEY="{{ tls_private }}/{{ inventory_hostname }}.key"
-IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt"
+IPSILON_DB_CERT="{{ tls_certs }}/{{ inventory_hostname}}.crt"
 IPSILON_HOSTNAME="idp.foo.sh"
 IPSILON_OPENIDC_KEYID="{{ ipsilon_openidc_keyid }}"
 IPSILON_OPENIDC_SALT="{{ ipsilon_openidc_salt }}"

roles/ipsilon/templates/openidc-static.conf.j2

@@ -15,12 +15,12 @@
 {{ client["name"] }} jwks_uri=null
 {{ client["name"] }} logo_uri=null
 {{ client["name"] }} policy_uri=null
-{{ client["name"] }} redirect_uris=["{{ client["redirect_uri"] }}"]
+{{ client["name"] }} redirect_uris={{ client["redirect_uris"] | ansible.builtin.to_json }}
 {{ client["name"] }} request_uris=[]
 {{ client["name"] }} require_auth_time=null
 {{ client["name"] }} response_types=["code"]
 {{ client["name"] }} subject_type="pairwise"
 {{ client["name"] }} sector_identifier_uri=null
-{{ client["name"] }} token_endpoint_auth_method="client_secret_post"
+{{ client["name"] }} token_endpoint_auth_method="{{ client["token_endpoint_auth_method"] | default("client_secret_post") }}"
 {{ client["name"] }} tos_uri=null
 {% endfor %}