This playbook contains roles for installing and configuring the SATOSA proxy, along with other tools surounding it.
It includes the roles:
- debops.unattended_upgrades
- debops.users
- devsec.ssh
- grnet.apt
- grnet.base
- grnet.certbot
- grnet.core
- grnet.docker
- grnet.ferm
- grnet.logging
- grnet.merge_vars
- grnet.openssl-certificate
- grnet.puppet.base
- grnet.satosa
- nginxinc.nginx
This playbook has only been tested with Debian Stretch.
Installs and configures the unattended upgrades package.
Creates and configures a set of users.
Configures the ssh and ssh keys.
Configures apt and install any required apt packages. All apt packages are installed using this role in conjunction with the grnet.merge_vars role.
Acts as a base role and is simply responsible of acting as a base that calls the roles: grnet.merge_vars, grnet.core, grnet.apt, debops.unattended_upgrades, debops.apt_listchanges, grnet.ferm, devsec.ssh, debops.users
Installs certbot and creates the necessary certificate using the nginx server or certbots own webserver.
Configures root user, ansible user and sets timezone.
Installs docker. This role uses grnet.merge_vars and grnet.apt in order to add the docker apt repo and install the docker package.
Creates ferm rules. Ferm rules are created using this role in conjunction with the grnet.merge_vars role.
Uses rsyslogd and logrotate to handle the logs of an application writing on syslog. This roles is usually included inside another role, more information on the available variables can be found here
A hacky role which takes advantage of the reflection properties of the ansible variable system. This role is used to collect and merge multiple lists or dictionaries into one based on their names.
Creates a self-signed openssl certificate. More information on the available variables can be found here
Installs and configures SATOSA. More information on the available variables can be found here
Installs and configures nginx. This role is taken from nginxinc.nginx
Generally we use 3 groups: proxy, nginx and satosa.
nginx and satosa are responsible for installing the corresponding component. The proxy group is used to install both nginx and satosa, since most of the time they are run at the same host.
In each inventory several variables are defined to override the default values.
In the group_vars/all folder basic variables are configured. In the ferm_defs file we define ferm variables that are used in the ferm rules (all ansible variables of the format {role_name}__ferm__def_variables_to_merge will be used to define ferm definitions). In the users file we define the users that will be created and configured using the debops.users role.
Other than that we define the necessary group_vars and host_vars for each use case.
In order to run this ansible playbook we must:
- Define the necessary inventory and variables. For this example let's assume we want to create a SATOSA installation connected to EIDAS so we will have an nginx receiving all requests, the SSL will be terminated at nginx then the request will be redirected to SATOSA. An example inventory achieving this is
inventories/EIDAS. - After defining the necessary variables and hosts we must run the playbook located at
play/bootstrap.ymlwhich will create the necessary users, since our ansible roles are configured to as the ansible user and not as debian which is the default user of okeanos' debian VMs (of course this could be changed). So we must run:ansible-playbook plays/bootstrap.yml -i inventories/EIDAS - After this is run we must run the playbook located in
site.yml, this playbook is simply used to run several the other playbooks which will install the requested components, all playbooks exceptsite.ymlare located in the plays folder. So we must run:ansible-playbook site.yml -i inventories/EIDAS
After this out installation must be complete. For further information about configuring the playbook look to our docs