From c8cebfef9196022d7a120e44bf70260f1e4f09d0 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 21 Jan 2025 10:29:17 +0100 Subject: [PATCH 1/2] Add eduID servicedesk role --- roles/myconext/tasks/main.yml | 38 ++++++++++ roles/servicedesk-gui/defaults/main.yml | 4 + roles/servicedesk-gui/handlers/main.yml | 15 ++++ roles/servicedesk-gui/meta/main.yml | 1 + roles/servicedesk-gui/tasks/main.yml | 6 ++ .../servicedesk-gui/templates/account.conf.j2 | 74 +++++++++++++++++++ roles/servicedesk-gui/vars/main.yml | 4 + roles/springboot/defaults/main.yml | 5 ++ 8 files changed, 147 insertions(+) create mode 100644 roles/servicedesk-gui/defaults/main.yml create mode 100644 roles/servicedesk-gui/handlers/main.yml create mode 100644 roles/servicedesk-gui/meta/main.yml create mode 100644 roles/servicedesk-gui/tasks/main.yml create mode 100644 roles/servicedesk-gui/templates/account.conf.j2 create mode 100644 roles/servicedesk-gui/vars/main.yml diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index 54c425e86..0d386520d 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -207,7 +207,45 @@ - source: /opt/openconext/myconext/apple-app-site-association target: /var/www/.well-known/apple-app-site-association type: bind + env: + HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img_for_idp }}" + HTTPD_SERVERNAME: "login.{{ myconext_base_domain }}" +- name: Create the servicedesk gui + community.docker.docker_container: + name: servicedeskgui + image: ghcr.io/openconext/openconext-myconext/servicedesk-gui:{{ servicedesk_gui_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.servicedeskgui.rule: "Host(`servicedesk.{{ myconext_base_domain }}`)" + traefik.http.routers.servicedeskgui.tls: "true" + traefik.enable: "true" + healthcheck: + test: ["CMD", "curl", "--fail" , "http://localhost"] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind + - source: /opt/openconext/common/favicon.ico + target: /var/www/favicon.ico + type: bind + - source: /opt/openconext/myconext/apple-app-site-association + target: /var/www/.well-known/apple-app-site-association + type: bind env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img_for_idp }}" HTTPD_SERVERNAME: "login.{{ myconext_base_domain }}" + OPENCONEXT_INSTANCENAME: "{{ instance_name }}" + OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" + OPENCONEXT_HELP_EMAIL: "{{ support_email }}" + SHIB_ENTITYID: "https://servicedesk.{{ myconext_base_domain }}/shibboleth" + SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" + SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" diff --git a/roles/servicedesk-gui/defaults/main.yml b/roles/servicedesk-gui/defaults/main.yml new file mode 100644 index 000000000..2aadf58ef --- /dev/null +++ b/roles/servicedesk-gui/defaults/main.yml @@ -0,0 +1,4 @@ +--- +servicedesk_gui_version: '' +servicedesk_gui_snapshot_timestamp: '' +servicedesk_install: true diff --git a/roles/servicedesk-gui/handlers/main.yml b/roles/servicedesk-gui/handlers/main.yml new file mode 100644 index 000000000..a45857dd2 --- /dev/null +++ b/roles/servicedesk-gui/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: restart httpd + service: + name: httpd + state: restarted + +- name: reload httpd + service: + name: httpd + state: reloaded + +- name: restart iptables + service: + name: iptables + state: restarted diff --git a/roles/servicedesk-gui/meta/main.yml b/roles/servicedesk-gui/meta/main.yml new file mode 100644 index 000000000..73b314ff7 --- /dev/null +++ b/roles/servicedesk-gui/meta/main.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/roles/servicedesk-gui/tasks/main.yml b/roles/servicedesk-gui/tasks/main.yml new file mode 100644 index 000000000..673777ef7 --- /dev/null +++ b/roles/servicedesk-gui/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: copy virtual host config + template: + src: servicedesk.conf.j2 + dest: /etc/httpd/conf.d/servicedesk.conf + notify: reload httpd diff --git a/roles/servicedesk-gui/templates/account.conf.j2 b/roles/servicedesk-gui/templates/account.conf.j2 new file mode 100644 index 000000000..270e1c769 --- /dev/null +++ b/roles/servicedesk-gui/templates/account.conf.j2 @@ -0,0 +1,74 @@ +{% if apache_app_listen_address.servicedesk is defined %} +Listen {{ apache_app_listen_address.servicedesk }}:{{ loadbalancing.servicedesk.port }} + +{% else %} + +{% endif %} + # General setup for the virtual host, inherited from global configuration + ServerName https://login.{{ myconext_base_domain }} + + ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-servicedesk'" + CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-servicedesk'" combined + + RewriteEngine on + + {% for links in myconext.links %} + RewriteRule "^/{{ links.name }}(/|$)" "{{ links.url }}" [R,L] + {% endfor %} + + RewriteCond %{REQUEST_URI} !\.html$ + RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ + RewriteCond %{REQUEST_URI} !\.svg$ + RewriteCond %{REQUEST_URI} !\.png$ + RewriteCond %{REQUEST_URI} !\.ico$ + RewriteCond %{REQUEST_URI} !\.woff$ + RewriteCond %{REQUEST_URI} !\.woff2$ + RewriteCond %{REQUEST_URI} !\.ttf$ + RewriteCond %{REQUEST_URI} !\.eot$ + RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ + RewriteCond %{REQUEST_URI} !^/myconext + RewriteCond %{REQUEST_URI} !^/tiqr + RewriteCond %{REQUEST_URI} !^/config + RewriteCond %{REQUEST_URI} !^/saml + RewriteCond %{REQUEST_URI} !^/actuator + RewriteCond %{REQUEST_URI} !^/internal + RewriteCond %{REQUEST_URI} !^/fonts + RewriteCond %{REQUEST_URI} !^/.well-known + RewriteRule (.*) /index.html [L] + + ProxyPreserveHost On + ProxyPass /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api retry=0 + ProxyPassReverse /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api + + ProxyPass /actuator http://localhost:{{ springapp_tcpport }}/internal retry=0 + ProxyPass /internal http://localhost:{{ springapp_tcpport }}/internal retry=0 + ProxyPass /config http://localhost:{{ springapp_tcpport }}/config retry=0 + + DocumentRoot "{{ _springapp_dir }}/current" + + + Require all granted + Options -Indexes + + + Header always set Content-Security-Policy "{{ httpd_csp.lenient_with_static_img_for_idp }}" + Header always set X-Frame-Options "DENY" + Header always set Referrer-Policy "same-origin" + Header always set X-Content-Type-Options "nosniff" + + {% if haproxy_backend_tls %} + SSLEngine on + SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem + SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key + Include ssl_backend.conf + {% endif %} + + {% if apache_app_listen_address.all is defined %} + SSLEngine on + SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} + SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} + SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} + Include ssl_backend.conf + {% endif %} + + diff --git a/roles/servicedesk-gui/vars/main.yml b/roles/servicedesk-gui/vars/main.yml new file mode 100644 index 000000000..90a4a758a --- /dev/null +++ b/roles/servicedesk-gui/vars/main.yml @@ -0,0 +1,4 @@ +--- +springapp_tcpport: 9189 +springapp_artifact_id: servicedesk-gui +springapp_version: "{{ servicedesk_gui_version }}" diff --git a/roles/springboot/defaults/main.yml b/roles/springboot/defaults/main.yml index a3219e7c1..def37fca6 100644 --- a/roles/springboot/defaults/main.yml +++ b/roles/springboot/defaults/main.yml @@ -27,6 +27,11 @@ springboot_gui_services: group: myconext enabled: "{{ springboot_services_state.account }}" version: "{{ account_gui_version }}" + - name: servicedesk + alias: servicedesk-gui + group: myconext + enabled: "{{ springboot_services_state.servicedesk }}" + version: "{{ servicedesk_gui_version }}" springboot_server_services: - name: manage From b92131e382fb8e02f4b9b3ea4f42d75dce3a8d95 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 21 Jan 2025 11:39:41 +0100 Subject: [PATCH 2/2] remove servicedesk-gui role --- roles/servicedesk-gui/defaults/main.yml | 4 - roles/servicedesk-gui/handlers/main.yml | 15 ---- roles/servicedesk-gui/meta/main.yml | 1 - roles/servicedesk-gui/tasks/main.yml | 6 -- .../servicedesk-gui/templates/account.conf.j2 | 74 ------------------- roles/servicedesk-gui/vars/main.yml | 4 - 6 files changed, 104 deletions(-) delete mode 100644 roles/servicedesk-gui/defaults/main.yml delete mode 100644 roles/servicedesk-gui/handlers/main.yml delete mode 100644 roles/servicedesk-gui/meta/main.yml delete mode 100644 roles/servicedesk-gui/tasks/main.yml delete mode 100644 roles/servicedesk-gui/templates/account.conf.j2 delete mode 100644 roles/servicedesk-gui/vars/main.yml diff --git a/roles/servicedesk-gui/defaults/main.yml b/roles/servicedesk-gui/defaults/main.yml deleted file mode 100644 index 2aadf58ef..000000000 --- a/roles/servicedesk-gui/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -servicedesk_gui_version: '' -servicedesk_gui_snapshot_timestamp: '' -servicedesk_install: true diff --git a/roles/servicedesk-gui/handlers/main.yml b/roles/servicedesk-gui/handlers/main.yml deleted file mode 100644 index a45857dd2..000000000 --- a/roles/servicedesk-gui/handlers/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: restart httpd - service: - name: httpd - state: restarted - -- name: reload httpd - service: - name: httpd - state: reloaded - -- name: restart iptables - service: - name: iptables - state: restarted diff --git a/roles/servicedesk-gui/meta/main.yml b/roles/servicedesk-gui/meta/main.yml deleted file mode 100644 index 73b314ff7..000000000 --- a/roles/servicedesk-gui/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- \ No newline at end of file diff --git a/roles/servicedesk-gui/tasks/main.yml b/roles/servicedesk-gui/tasks/main.yml deleted file mode 100644 index 673777ef7..000000000 --- a/roles/servicedesk-gui/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: copy virtual host config - template: - src: servicedesk.conf.j2 - dest: /etc/httpd/conf.d/servicedesk.conf - notify: reload httpd diff --git a/roles/servicedesk-gui/templates/account.conf.j2 b/roles/servicedesk-gui/templates/account.conf.j2 deleted file mode 100644 index 270e1c769..000000000 --- a/roles/servicedesk-gui/templates/account.conf.j2 +++ /dev/null @@ -1,74 +0,0 @@ -{% if apache_app_listen_address.servicedesk is defined %} -Listen {{ apache_app_listen_address.servicedesk }}:{{ loadbalancing.servicedesk.port }} - -{% else %} - -{% endif %} - # General setup for the virtual host, inherited from global configuration - ServerName https://login.{{ myconext_base_domain }} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-servicedesk'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-servicedesk'" combined - - RewriteEngine on - - {% for links in myconext.links %} - RewriteRule "^/{{ links.name }}(/|$)" "{{ links.url }}" [R,L] - {% endfor %} - - RewriteCond %{REQUEST_URI} !\.html$ - RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ - RewriteCond %{REQUEST_URI} !\.svg$ - RewriteCond %{REQUEST_URI} !\.png$ - RewriteCond %{REQUEST_URI} !\.ico$ - RewriteCond %{REQUEST_URI} !\.woff$ - RewriteCond %{REQUEST_URI} !\.woff2$ - RewriteCond %{REQUEST_URI} !\.ttf$ - RewriteCond %{REQUEST_URI} !\.eot$ - RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ - RewriteCond %{REQUEST_URI} !^/myconext - RewriteCond %{REQUEST_URI} !^/tiqr - RewriteCond %{REQUEST_URI} !^/config - RewriteCond %{REQUEST_URI} !^/saml - RewriteCond %{REQUEST_URI} !^/actuator - RewriteCond %{REQUEST_URI} !^/internal - RewriteCond %{REQUEST_URI} !^/fonts - RewriteCond %{REQUEST_URI} !^/.well-known - RewriteRule (.*) /index.html [L] - - ProxyPreserveHost On - ProxyPass /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api retry=0 - ProxyPassReverse /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api - - ProxyPass /actuator http://localhost:{{ springapp_tcpport }}/internal retry=0 - ProxyPass /internal http://localhost:{{ springapp_tcpport }}/internal retry=0 - ProxyPass /config http://localhost:{{ springapp_tcpport }}/config retry=0 - - DocumentRoot "{{ _springapp_dir }}/current" - - - Require all granted - Options -Indexes - - - Header always set Content-Security-Policy "{{ httpd_csp.lenient_with_static_img_for_idp }}" - Header always set X-Frame-Options "DENY" - Header always set Referrer-Policy "same-origin" - Header always set X-Content-Type-Options "nosniff" - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - diff --git a/roles/servicedesk-gui/vars/main.yml b/roles/servicedesk-gui/vars/main.yml deleted file mode 100644 index 90a4a758a..000000000 --- a/roles/servicedesk-gui/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -springapp_tcpport: 9189 -springapp_artifact_id: servicedesk-gui -springapp_version: "{{ servicedesk_gui_version }}"