WIP

Author: mrvanes

roles/sbs/defaults/main.yml

@@ -72,9 +72,6 @@ sbs_defaults:
 
   wiki_link: "https://www.example.org/wiki"
 
-  backend_port: 8080
-  num_workers: 2
-
   cron_hour_of_day: 4
   seed_allowed: True
   api_keys_enabled: True
@@ -168,9 +165,3 @@ sbs_defaults:
     - 'sha256-WTC9gHKjIpzl5ub1eg/YrRy/k+jlzeyRojah9dxAApc='  # on /new-service-request
 
   engine_block_api_token: secret
-
-  # wildcard_backend_cert:
-  #   pub: |
-  #     -----BEGIN CERTIFICATE-----
-  #     12345
-  #     -----END CERTIFICATE-----

roles/sbs/tasks/main.yml

@@ -57,31 +57,8 @@
     - "sbs.log"
     - "sbs.debug.log"
 
-# - name: "Copy wildcard backend cert"
-#   copy:
-#     content: "{{wildcard_backend_cert.pub}}"
-#     dest: "{{sbs.cert_dir}}/backend.crt"
-#     owner: "root"
-#     group: "root"
-#     mode: "0644"
-#   notify: "Restart sbs containers"
-
-# - name: "Copy https cert"
-#   copy:
-#     content: "{{https_cert.cert}}"
-#     dest: "{{sbs.cert_dir}}/frontend.crt"
-#     owner: "root"
-#     group: "root"
-#     mode: "0644"
-#   notify: "Restart sbs containers"
-
-# - name: "Install database certificate"
-#   copy:
-#     dest: "{{sbs.db_cert_path}}"
-#     content: "{{ sbs.db_tls_cert }}"
-#     owner: "root"
-#     group: "root"
-#     mode: "0644"
+# Create dummy file in certs dir to pacify container pre-init script
+# https://github.com/SURFscz/SBS/pull/2312
 - name: "Touch file in {{ sbs.cert_dir }}"
   ansible.builtin.file:
     path: "{{sbs.cert_dir}}/dummy"

roles/sbs/templates/config.yml.j2

@@ -30,8 +30,8 @@ api_users:
 {% endfor %}
 
 oidc:
-  client_id: "{{ sbs.client_id }}"
-  client_secret: "{{ sbs.client_secret }}"
+  client_id: "{{ sbs.oidc_client_id }}"
+  client_secret: "{{ sbs.oidc_client_secret }}"
   audience: "{{ sbs.oidc_jwt_audience }}"
   verify_peer:  {{ sbs.oidc_verify_peer }}
   authorization_endpoint: "{{ sbs.oidc_authz_endpoint}}"
@@ -45,7 +45,7 @@ oidc:
   second_factor_authentication_required: {{ sbs.second_factor_authentication_required }}
   totp_token_name: "{{ sbs.totp_token_name }}"
   # The service_id in the proxy_authz endpoint when logging into SBS. Most likely to equal the oidc.client_id
-  sram_service_entity_id: "{{ sbs.client_id }}"
+  sram_service_entity_id: "{{ sbs.oidc_client_id }}"
   scopes: {{ sbs.oidc_scopes }}
 
 base_scope: "{{ base_domain }}"

roles/sbs/templates/sbs-apache.conf.j2

@@ -12,10 +12,10 @@ RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
 RewriteRule ^/(.*)$ /index.html  [L]
 
 ProxyRequests off
-ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:{{sbs.backend_port}}/
-ProxyPassReverse / http://sbs-server:{{sbs.backend_port}}/
-ProxyPass /socket.io/ ws://sbs-server:{{sbs.backend_port}}/socket.io/
-ProxyPassReverse /socket.io/ ws://sbs-server:{{sbs.backend_port}}/socket.io/
+ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:8080/
+ProxyPassReverse / http://sbs-server:8080/
+ProxyPass /socket.io/ ws://sbs-server:8080/socket.io/
+ProxyPassReverse /socket.io/ ws://sbs-server:8080/socket.io/
 
 <If "%{REQUEST_URI} =~ m#^/api/images/#">
     Header set Cache-Control:  "public, max-age=31536000, immutable"