forked from data.coop/ansible
236 lines
8.3 KiB
YAML
236 lines
8.3 KiB
YAML
- name: create gluu volume folders
|
|
file:
|
|
name: "{{ gluu.volume_folder }}/{{ volume }}"
|
|
state: directory
|
|
loop:
|
|
- "config-init/db"
|
|
- "consul/data"
|
|
- "opendj/config"
|
|
- "opendj/ldif"
|
|
- "opendj/logs"
|
|
- "opendj/db"
|
|
- "opendj/flag"
|
|
- "opendj/backup"
|
|
- "oxauth/custom"
|
|
- "oxauth/custom/pages"
|
|
- "oxauth/custom/static"
|
|
- "oxauth/lib/ext"
|
|
- "oxauth/logs"
|
|
- "oxtrust/custom/pages"
|
|
- "oxtrust/lib/ext"
|
|
- "oxtrust/logs"
|
|
- "shared-shibboleth-idp"
|
|
- "vault/config:/vault/config"
|
|
- "vault/data:/vault/data"
|
|
- "vault/logs:/vault/logs"
|
|
loop_control:
|
|
loop_var: "volume"
|
|
|
|
- name: set up gluu
|
|
docker_service:
|
|
project_name: gluu
|
|
pull: yes
|
|
definition:
|
|
version: "2.3"
|
|
services:
|
|
consul:
|
|
image: consul
|
|
container_name: consul
|
|
command: agent -server -bootstrap -ui
|
|
hostname: consul-1
|
|
environment:
|
|
- CONSUL_BIND_INTERFACE=eth0
|
|
- CONSUL_CLIENT_INTERFACE=eth0
|
|
restart: unless-stopped
|
|
volumes:
|
|
- "{{ gluu.volume_folder }}/consul:/consul/data"
|
|
networks:
|
|
- "gluu"
|
|
labels:
|
|
- "SERVICE_IGNORE=yes"
|
|
|
|
vault:
|
|
container_name: vault
|
|
image: vault:1.0.1
|
|
command: vault server -config=/vault/config
|
|
volumes:
|
|
- "{{ gluu.volume_folder }}/vault/config:/vault/config"
|
|
- "{{ gluu.volume_folder }}/vault/data:/vault/data"
|
|
- "{{ gluu.volume_folder }}/vault/logs:/vault/logs"
|
|
- "{{ gluu.volume_folder }}/vault/vault_gluu_policy.hcl:/vault/config/policy.hcl"
|
|
- "{{ gluu.volume_folder }}/vault/gcp_kms_stanza.hcl:/vault/config/stanza.hcl"
|
|
- "{{ gluu.volume_folder }}/vault/gcp_kms_creds.json:/vault/config/creds.json"
|
|
cap_add:
|
|
- IPC_LOCK
|
|
environment:
|
|
- VAULT_REDIRECT_INTERFACE=eth0
|
|
- VAULT_CLUSTER_INTERFACE=eth0
|
|
- VAULT_ADDR=http://0.0.0.0:8200
|
|
- VAULT_LOCAL_CONFIG={"backend":{"consul":{"address":"consul:8500","path":"vault/"}},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}}
|
|
restart: unless-stopped
|
|
networks:
|
|
- "gluu"
|
|
depends_on:
|
|
- consul
|
|
labels:
|
|
- "SERVICE_IGNORE=yes"
|
|
|
|
registrator:
|
|
container_name: registrator
|
|
image: gluufederation/registrator:dev
|
|
command: registrator -internal -cleanup -resync 30 -retry-attempts 5 -retry-interval 10 consul://consul:8500
|
|
volumes:
|
|
- /var/run/docker.sock:/tmp/docker.sock
|
|
networks:
|
|
- "gluu"
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- consul
|
|
|
|
nginx:
|
|
container_name: nginx
|
|
image: gluufederation/nginx:3.1.5_02
|
|
environment:
|
|
- GLUU_CONFIG_CONSUL_HOST=consul
|
|
- GLUU_SECRET_VAULT_HOST=vault
|
|
- VIRTUAL_HOST="{{ gluu.domain }}"
|
|
- LETSENCRYPT_HOST="{{ gluu.domain }}"
|
|
- LETSENCRYPT_EMAIL="{{ letsencrypt_email }}"
|
|
ports:
|
|
- "80"
|
|
- "443"
|
|
networks:
|
|
- "external_services"
|
|
- "gluu"
|
|
restart: unless-stopped
|
|
labels:
|
|
- "SERVICE_IGNORE=yes"
|
|
|
|
ldap:
|
|
container_name: ldap
|
|
image: gluufederation/opendj:3.1.5_02
|
|
environment:
|
|
- GLUU_CONFIG_CONSUL_HOST=consul
|
|
- GLUU_SECRET_VAULT_HOST=vault
|
|
- GLUU_LDAP_INIT=true
|
|
- GLUU_LDAP_INIT_HOST=ldap
|
|
- GLUU_LDAP_INIT_PORT=1636
|
|
- GLUU_OXTRUST_CONFIG_GENERATION=true
|
|
- GLUU_CACHE_TYPE=NATIVE_PERSISTENCE
|
|
# - GLUU_CACHE_TYPE=REDIS # don't forget to enable redis service
|
|
# - GLUU_REDIS_URL=redis:6379
|
|
# - GLUU_REDIS_TYPE=STANDALONE
|
|
# the value must match service name `ldap` because other containers
|
|
# use this value as LDAP hostname
|
|
- GLUU_CERT_ALT_NAME=ldap
|
|
volumes:
|
|
- "{{ gluu.volume_folder }}/opendj/config:/opt/opendj/config"
|
|
- "{{ gluu.volume_folder }}/opendj/ldif:/opt/opendj/ldif"
|
|
- "{{ gluu.volume_folder }}/opendj/logs:/opt/opendj/logs"
|
|
- "{{ gluu.volume_folder }}/opendj/db:/opt/opendj/db"
|
|
- "{{ gluu.volume_folder }}/opendj/flag:/flag"
|
|
- "{{ gluu.volume_folder }}/opendj/backup:/opt/opendj/bak"
|
|
networks:
|
|
- "gluu"
|
|
restart: unless-stopped
|
|
labels:
|
|
- "SERVICE_IGNORE=yes"
|
|
|
|
oxauth:
|
|
container_name: oxauth
|
|
image: gluufederation/oxauth:3.1.5_02
|
|
environment:
|
|
- GLUU_CONFIG_CONSUL_HOST=consul
|
|
- GLUU_SECRET_VAULT_HOST=consul
|
|
- GLUU_LDAP_URL=ldap:1636
|
|
extra_hosts:
|
|
- "{{ gluu.domain }}:85.235.225.231"
|
|
volumes:
|
|
- "{{ gluu.volume_folder }}/oxauth/custom/pages:/opt/gluu/jetty/oxauth/custom/pages"
|
|
- "{{ gluu.volume_folder }}/oxauth/custom/static:/opt/gluu/jetty/oxauth/custom/static"
|
|
- "{{ gluu.volume_folder }}/oxauth/lib/ext:/opt/gluu/jetty/oxauth/lib/ext"
|
|
- "{{ gluu.volume_folder }}/oxauth/logs:/opt/gluu/jetty/oxauth/logs"
|
|
networks:
|
|
- "gluu"
|
|
mem_limit: 1536M
|
|
restart: unless-stopped
|
|
labels:
|
|
- "SERVICE_NAME=oxauth"
|
|
- "SERVICE_8080_CHECK_HTTP=/oxauth/.well-known/openid-configuration"
|
|
- "SERVICE_8080_CHECK_INTERVAL=15s"
|
|
- "SERVICE_8080_CHECK_TIMEOUT=5s"
|
|
|
|
oxtrust:
|
|
container_name: oxtrust
|
|
image: gluufederation/oxtrust:3.1.5_02
|
|
environment:
|
|
- GLUU_CONFIG_CONSUL_HOST=consul
|
|
- GLUU_SECRET_VAULT_HOST=vault
|
|
- GLUU_LDAP_URL=ldap:1636
|
|
- GLUU_OXAUTH_BACKEND=oxauth:8080
|
|
extra_hosts:
|
|
- "{{ gluu.domain }}:85.235.225.231"
|
|
volumes:
|
|
- "{{ gluu.volume_folder }}/oxtrust/custom/pages:/opt/gluu/jetty/identity/custom/pages"
|
|
- "{{ gluu.volume_folder }}/oxtrust/custom/static:/opt/gluu/jetty/identity/custom/static"
|
|
- "{{ gluu.volume_folder }}/oxtrust/lib/ext:/opt/gluu/jetty/identity/lib/ext"
|
|
- "{{ gluu.volume_folder }}/oxtrust/logs:/opt/gluu/jetty/identity/logs"
|
|
- "{{ gluu.volume_folder }}/shared-shibboleth-idp:/opt/shared-shibboleth-idp"
|
|
networks:
|
|
- "gluu"
|
|
mem_limit: 1536M
|
|
restart: unless-stopped
|
|
labels:
|
|
- "SERVICE_NAME=oxtrust"
|
|
- "SERVICE_8080_CHECK_HTTP=/identity/restv1/scim-configuration"
|
|
- "SERVICE_8080_CHECK_INTERVAL=15s"
|
|
- "SERVICE_8080_CHECK_TIMEOUT=5s"
|
|
|
|
oxshibboleth:
|
|
container_name: oxshibboleth
|
|
image: gluufederation/oxshibboleth:3.1.5_02
|
|
environment:
|
|
- GLUU_CONFIG_CONSUL_HOST=consul
|
|
- GLUU_SECRET_VAULT_HOST=vault
|
|
- GLUU_LDAP_URL=ldap:1636
|
|
extra_hosts:
|
|
- "{{gluu.domain}}:85.235.225.231"
|
|
volumes:
|
|
- "{{ gluu.volume_folder }}/volumes/shared-shibboleth-idp:/opt/shared-shibboleth-idp"
|
|
networks:
|
|
- "gluu"
|
|
mem_limit: 1024M
|
|
restart: unless-stopped
|
|
labels:
|
|
- "SERVICE_NAME=oxshibboleth"
|
|
- "SERVICE_8086_CHECK_HTTP=/idp"
|
|
- "SERVICE_8086_CHECK_INTERVAL=15s"
|
|
- "SERVICE_8086_CHECK_TIMEOUT=5s"
|
|
|
|
oxpassport:
|
|
container_name: oxpassport
|
|
image: gluufederation/oxpassport:3.1.5_02
|
|
environment:
|
|
- GLUU_CONFIG_CONSUL_HOST=consul
|
|
- GLUU_SECRET_VAULT_HOST=vault
|
|
- GLUU_LDAP_URL=ldap:1636
|
|
# required by wait-for-it script
|
|
- GLUU_OXAUTH_BACKEND=oxauth:8080
|
|
- GLUU_OXTRUST_BACKEND=oxtrust:8080
|
|
extra_hosts:
|
|
- "{{gluu.domain}}:85.235.225.231"
|
|
networks:
|
|
- "gluu"
|
|
restart: unless-stopped
|
|
labels:
|
|
- "SERVICE_NAME=oxpassport"
|
|
- "SERVICE_8090_CHECK_HTTP=/passport"
|
|
- "SERVICE_8090_CHECK_INTERVAL=15s"
|
|
- "SERVICE_8090_CHECK_TIMEOUT=5s"
|
|
|
|
networks:
|
|
external_services:
|
|
external: true
|
|
gluu:
|
|
name: "gluu"
|