ansible/roles/docker/tasks/services/gluu.yml

236 lines
8.3 KiB
YAML

- name: create gluu volume folders
file:
name: "{{ gluu.volume_folder }}/{{ volume }}"
state: directory
loop:
- "config-init/db"
- "consul/data"
- "opendj/config"
- "opendj/ldif"
- "opendj/logs"
- "opendj/db"
- "opendj/flag"
- "opendj/backup"
- "oxauth/custom"
- "oxauth/custom/pages"
- "oxauth/custom/static"
- "oxauth/lib/ext"
- "oxauth/logs"
- "oxtrust/custom/pages"
- "oxtrust/lib/ext"
- "oxtrust/logs"
- "shared-shibboleth-idp"
- "vault/config:/vault/config"
- "vault/data:/vault/data"
- "vault/logs:/vault/logs"
loop_control:
loop_var: "volume"
- name: set up gluu
docker_service:
project_name: gluu
pull: yes
definition:
version: "2.3"
services:
consul:
image: consul
container_name: consul
command: agent -server -bootstrap -ui
hostname: consul-1
environment:
- CONSUL_BIND_INTERFACE=eth0
- CONSUL_CLIENT_INTERFACE=eth0
restart: unless-stopped
volumes:
- "{{ gluu.volume_folder }}/consul:/consul/data"
networks:
- "gluu"
labels:
- "SERVICE_IGNORE=yes"
vault:
container_name: vault
image: vault:1.0.1
command: vault server -config=/vault/config
volumes:
- "{{ gluu.volume_folder }}/vault/config:/vault/config"
- "{{ gluu.volume_folder }}/vault/data:/vault/data"
- "{{ gluu.volume_folder }}/vault/logs:/vault/logs"
- "{{ gluu.volume_folder }}/vault/vault_gluu_policy.hcl:/vault/config/policy.hcl"
- "{{ gluu.volume_folder }}/vault/gcp_kms_stanza.hcl:/vault/config/stanza.hcl"
- "{{ gluu.volume_folder }}/vault/gcp_kms_creds.json:/vault/config/creds.json"
cap_add:
- IPC_LOCK
environment:
- VAULT_REDIRECT_INTERFACE=eth0
- VAULT_CLUSTER_INTERFACE=eth0
- VAULT_ADDR=http://0.0.0.0:8200
- VAULT_LOCAL_CONFIG={"backend":{"consul":{"address":"consul:8500","path":"vault/"}},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}}
restart: unless-stopped
networks:
- "gluu"
depends_on:
- consul
labels:
- "SERVICE_IGNORE=yes"
registrator:
container_name: registrator
image: gluufederation/registrator:dev
command: registrator -internal -cleanup -resync 30 -retry-attempts 5 -retry-interval 10 consul://consul:8500
volumes:
- /var/run/docker.sock:/tmp/docker.sock
networks:
- "gluu"
restart: unless-stopped
depends_on:
- consul
nginx:
container_name: nginx
image: gluufederation/nginx:3.1.5_02
environment:
- GLUU_CONFIG_CONSUL_HOST=consul
- GLUU_SECRET_VAULT_HOST=vault
- VIRTUAL_HOST="{{ gluu.domain }}"
- LETSENCRYPT_HOST="{{ gluu.domain }}"
- LETSENCRYPT_EMAIL="{{ letsencrypt_email }}"
ports:
- "80"
- "443"
networks:
- "external_services"
- "gluu"
restart: unless-stopped
labels:
- "SERVICE_IGNORE=yes"
ldap:
container_name: ldap
image: gluufederation/opendj:3.1.5_02
environment:
- GLUU_CONFIG_CONSUL_HOST=consul
- GLUU_SECRET_VAULT_HOST=vault
- GLUU_LDAP_INIT=true
- GLUU_LDAP_INIT_HOST=ldap
- GLUU_LDAP_INIT_PORT=1636
- GLUU_OXTRUST_CONFIG_GENERATION=true
- GLUU_CACHE_TYPE=NATIVE_PERSISTENCE
# - GLUU_CACHE_TYPE=REDIS # don't forget to enable redis service
# - GLUU_REDIS_URL=redis:6379
# - GLUU_REDIS_TYPE=STANDALONE
# the value must match service name `ldap` because other containers
# use this value as LDAP hostname
- GLUU_CERT_ALT_NAME=ldap
volumes:
- "{{ gluu.volume_folder }}/opendj/config:/opt/opendj/config"
- "{{ gluu.volume_folder }}/opendj/ldif:/opt/opendj/ldif"
- "{{ gluu.volume_folder }}/opendj/logs:/opt/opendj/logs"
- "{{ gluu.volume_folder }}/opendj/db:/opt/opendj/db"
- "{{ gluu.volume_folder }}/opendj/flag:/flag"
- "{{ gluu.volume_folder }}/opendj/backup:/opt/opendj/bak"
networks:
- "gluu"
restart: unless-stopped
labels:
- "SERVICE_IGNORE=yes"
oxauth:
container_name: oxauth
image: gluufederation/oxauth:3.1.5_02
environment:
- GLUU_CONFIG_CONSUL_HOST=consul
- GLUU_SECRET_VAULT_HOST=consul
- GLUU_LDAP_URL=ldap:1636
extra_hosts:
- "{{ gluu.domain }}:85.235.225.231"
volumes:
- "{{ gluu.volume_folder }}/oxauth/custom/pages:/opt/gluu/jetty/oxauth/custom/pages"
- "{{ gluu.volume_folder }}/oxauth/custom/static:/opt/gluu/jetty/oxauth/custom/static"
- "{{ gluu.volume_folder }}/oxauth/lib/ext:/opt/gluu/jetty/oxauth/lib/ext"
- "{{ gluu.volume_folder }}/oxauth/logs:/opt/gluu/jetty/oxauth/logs"
networks:
- "gluu"
mem_limit: 1536M
restart: unless-stopped
labels:
- "SERVICE_NAME=oxauth"
- "SERVICE_8080_CHECK_HTTP=/oxauth/.well-known/openid-configuration"
- "SERVICE_8080_CHECK_INTERVAL=15s"
- "SERVICE_8080_CHECK_TIMEOUT=5s"
oxtrust:
container_name: oxtrust
image: gluufederation/oxtrust:3.1.5_02
environment:
- GLUU_CONFIG_CONSUL_HOST=consul
- GLUU_SECRET_VAULT_HOST=vault
- GLUU_LDAP_URL=ldap:1636
- GLUU_OXAUTH_BACKEND=oxauth:8080
extra_hosts:
- "{{ gluu.domain }}:85.235.225.231"
volumes:
- "{{ gluu.volume_folder }}/oxtrust/custom/pages:/opt/gluu/jetty/identity/custom/pages"
- "{{ gluu.volume_folder }}/oxtrust/custom/static:/opt/gluu/jetty/identity/custom/static"
- "{{ gluu.volume_folder }}/oxtrust/lib/ext:/opt/gluu/jetty/identity/lib/ext"
- "{{ gluu.volume_folder }}/oxtrust/logs:/opt/gluu/jetty/identity/logs"
- "{{ gluu.volume_folder }}/shared-shibboleth-idp:/opt/shared-shibboleth-idp"
networks:
- "gluu"
mem_limit: 1536M
restart: unless-stopped
labels:
- "SERVICE_NAME=oxtrust"
- "SERVICE_8080_CHECK_HTTP=/identity/restv1/scim-configuration"
- "SERVICE_8080_CHECK_INTERVAL=15s"
- "SERVICE_8080_CHECK_TIMEOUT=5s"
oxshibboleth:
container_name: oxshibboleth
image: gluufederation/oxshibboleth:3.1.5_02
environment:
- GLUU_CONFIG_CONSUL_HOST=consul
- GLUU_SECRET_VAULT_HOST=vault
- GLUU_LDAP_URL=ldap:1636
extra_hosts:
- "{{gluu.domain}}:85.235.225.231"
volumes:
- "{{ gluu.volume_folder }}/volumes/shared-shibboleth-idp:/opt/shared-shibboleth-idp"
networks:
- "gluu"
mem_limit: 1024M
restart: unless-stopped
labels:
- "SERVICE_NAME=oxshibboleth"
- "SERVICE_8086_CHECK_HTTP=/idp"
- "SERVICE_8086_CHECK_INTERVAL=15s"
- "SERVICE_8086_CHECK_TIMEOUT=5s"
oxpassport:
container_name: oxpassport
image: gluufederation/oxpassport:3.1.5_02
environment:
- GLUU_CONFIG_CONSUL_HOST=consul
- GLUU_SECRET_VAULT_HOST=vault
- GLUU_LDAP_URL=ldap:1636
# required by wait-for-it script
- GLUU_OXAUTH_BACKEND=oxauth:8080
- GLUU_OXTRUST_BACKEND=oxtrust:8080
extra_hosts:
- "{{gluu.domain}}:85.235.225.231"
networks:
- "gluu"
restart: unless-stopped
labels:
- "SERVICE_NAME=oxpassport"
- "SERVICE_8090_CHECK_HTTP=/passport"
- "SERVICE_8090_CHECK_INTERVAL=15s"
- "SERVICE_8090_CHECK_TIMEOUT=5s"
networks:
external_services:
external: true
gluu:
name: "gluu"