forked from OpenConext/Stepup-Deploy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathenvironment.conf
116 lines (101 loc) · 4.01 KB
/
environment.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Set to 1 to encrypt all keys, secrets and passwords with a symmetric key using keyszar.
# Requires python keyszar to be installed (https://github.com/google/keyczar)
# Set to 0 to write keys, secrets and passwords in plaintext.
# The Stepup-Deploy scripts assume that secrets are encrypted, so keep USE_KEYSZAR=1
USE_KEYSZAR=1
# Name of the keystore dir in the environment
# If you change this, update "vault_keydir" in group_vars/all.yml as well
KEYSTORE_DIR="stepup-ansible-keystore"
# Length of generated passwords in characters
PASSWORD_LENGTH=15
# List of passwords to generate. Specify the filename of the password file to create. Passwords are
# stored in the "password" directory
PASSWORDS=(
"middleware_selfservice_api"
"middleware_registration_authority_api"
"middleware_management_api"
"mariadb_root"
"mariadb_cluster"
"mariadb_backup"
"database_stepup_deploy"
"database_gateway"
"database_gateway_deploy"
"database_gateway_readonly"
"database_middleware"
"database_middleware_deploy"
"database_middleware_readonly"
"database_keyserver_deploy"
"database_keyserver"
"database_tiqr"
"database_tiqr_deploy"
"database_u2f"
"manage_kibana"
)
# Length of generated secrets in characters
SECRET_LENGTH=40
# List of secrets to generate. Specify the filename of the secret file to create. Secrets are
# stored in the "secret" directory
SECRETS=(
"gateway"
"middleware"
"ra"
"selfservice"
"tiqr"
"keyserver"
"oath_keyserver"
)
# TODO: Set SAML_O to a descriptive name of your environment
SAML_O="Development VM"
# List of self signed certificates to generate. Format: "<basename>:<DN>"
# Where:
# - <filename> is the basename used for the certificate an key on disk
# - <DN> is the distinguised name of the certificate in OpenSSL format
#
# Because they are selfsigned, this certificates are perfect signing
# SAML messages
SAML_CERTS=(
"gateway_saml_idp:/CN=Gateway SAML IdP/O=${SAML_O}"
"gateway_saml_sp:/CN=Gateway SAML SP/O=${SAML_O}"
"selfservice_saml_sp:/CN=SelfService SAML SP/O=${SAML_O}"
"ra_saml_sp:/CN=RA SAML SP/O=${SAML_O}"
# GSSP
# The four SAML signing certificates below are used to proxy GSSP SAML requests and responses through
# the Stepup-Gateway to SelfService and RA
"selfservice_gssp_sp:/CN=SelfService Tiqr SP/O=${SAML_O}"
"ra_gssp_sp:/CN=RA Tiqr SP/O=${SAML_O}"
"gateway_gssp_idp:/CN=Gateway Tiqr IdP/O=${SAML_O}"
"gateway_gssp_sp:/CN=Gateway Tiqr SP/O=${SAML_O}"
# This is the SAML signing certificate of the Tiqr GSSP IdP
"tiqr_idp:/CN=RA Tiqr IdP/O=${SAML_O}"
)
# These SSL/TLS certificates are for testing / development purposes only
# SSL_DOMAIN is used to generate the vhost names (see SSL_CERTS below)
#TODO: Update SSL_DOMAIN to what you are using
SSL_DOMAIN='stepup.example.com' # Domain for SSL certs
#TODO: Update SSL_O and SSL_C to what you are using
SSL_O='Development VM' # Organisation for SSL certs
SSL_C='NL' # Country for SSL certs
# Distinguised name of the Root CA certificate for issuing the SSL certificates
SSL_ROOT_DN="/CN=Root CA/O=${SSL_O}/C=${SSL_C}" # DN for SSL root CA
# TODO: change CN part of the certificate DN to what you are using
# This should match what is configured in *_vhost_name group_vars/all.yml
# List of SSL/TLS certificates to generate. Format: "<basename>:<DN>"
# Where:
# - <filename> is the basename used for the certificate an key on disk
# - <DN> is the subject distinguished name of the certificate in OpenSSL format
SSL_CERTS=(
"gateway:/CN=gateway.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"ra:/CN=ra.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"selfservice:/CN=selfservice.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"manage:/CN=manage.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"middleware:/CN=middleware.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"tiqr:/CN=tiqr.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
"keyserver:/CN=keyserver.${SSL_DOMAIN}/O=${SSL_O}/C=${SSL_C}"
)
### SSH keys ###
# List of ssh keypairs to generate. Format: "<basename>"
# Where:
# - <basename> is the basename used for the private and public key on disk
SSH_KEYS=(
"deploy"
)