From cc70903f529943d72d144dc7a4d8b36ef3b5cd80 Mon Sep 17 00:00:00 2001 From: julian Date: Tue, 8 Aug 2023 01:18:44 +0200 Subject: [PATCH] Migrate Keycloak from ccchh.net to hamburg.ccc.de --- inventories/chaosknoten/host_vars/keycloak.yaml | 12 ++++++------ .../{id.ccchh.net.conf => id.hamburg.ccc.de.conf} | 8 ++++---- ...h.net.conf => keycloak-admin.hamburg.ccc.de.conf} | 8 ++++---- .../public-reverse-proxy/nginx/acme_challenge.conf | 4 ++-- .../configs/public-reverse-proxy/nginx/nginx.conf | 4 ++-- .../chaosknoten/configs/keycloak/compose.yaml.j2 | 4 ++-- .../chaosknoten/configs/pad/compose.yaml.j2 | 6 +++--- 7 files changed, 23 insertions(+), 23 deletions(-) rename playbooks/files/chaosknoten/configs/keycloak/nginx/{id.ccchh.net.conf => id.hamburg.ccc.de.conf} (90%) rename playbooks/files/chaosknoten/configs/keycloak/nginx/{keycloak-admin.ccchh.net.conf => keycloak-admin.hamburg.ccc.de.conf} (89%) diff --git a/inventories/chaosknoten/host_vars/keycloak.yaml b/inventories/chaosknoten/host_vars/keycloak.yaml index b9d22ff..e9b5b70 100644 --- a/inventories/chaosknoten/host_vars/keycloak.yaml +++ b/inventories/chaosknoten/host_vars/keycloak.yaml @@ -4,12 +4,12 @@ docker_compose__configuration_files: [ ] certbot__version_spec: "" certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz certbot__certificate_domains: - - "id.ccchh.net" - - "keycloak-admin.ccchh.net" + - "id.hamburg.ccc.de" + - "keycloak-admin.hamburg.ccc.de" nginx__version_spec: "" nginx__configurations: - - name: id.ccchh.net - content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf') }}" - - name: keycloak-admin.ccchh.net - content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}" + - name: id.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/id.hamburg.ccc.de.conf') }}" + - name: keycloak-admin.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf') }}" diff --git a/playbooks/files/chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf b/playbooks/files/chaosknoten/configs/keycloak/nginx/id.hamburg.ccc.de.conf similarity index 90% rename from playbooks/files/chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf rename to playbooks/files/chaosknoten/configs/keycloak/nginx/id.hamburg.ccc.de.conf index 3a5d4ca..a5664e2 100644 --- a/playbooks/files/chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf +++ b/playbooks/files/chaosknoten/configs/keycloak/nginx/id.hamburg.ccc.de.conf @@ -13,12 +13,12 @@ server { # header. real_ip_header proxy_protocol; - server_name id.ccchh.net; + server_name id.hamburg.ccc.de; - ssl_certificate /etc/letsencrypt/live/id.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/id.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/id.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/id.hamburg.ccc.de/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/id.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/id.hamburg.ccc.de/chain.pem; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf b/playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf similarity index 89% rename from playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf rename to playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index 8ceebfa..c4f3cb8 100644 --- a/playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf +++ b/playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -17,12 +17,12 @@ server { # header. real_ip_header proxy_protocol; - server_name keycloak-admin.ccchh.net; + server_name keycloak-admin.hamburg.ccc.de; - ssl_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/keycloak-admin.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/keycloak-admin.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/keycloak-admin.hamburg.ccc.de/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/keycloak-admin.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/keycloak-admin.hamburg.ccc.de/chain.pem; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf index 4226e8e..38a0d67 100644 --- a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf +++ b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf @@ -1,8 +1,8 @@ map $host $upstream_acme_challenge_host { cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:31820; - id.ccchh.net 172.31.17.144:31820; - keycloak-admin.ccchh.net 172.31.17.144:31820; + id.hamburg.ccc.de 172.31.17.144:31820; + keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; default ""; } diff --git a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf index ec9a652..5773711 100644 --- a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf +++ b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf @@ -20,8 +20,8 @@ stream { map $ssl_preread_server_name $address { cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; - id.ccchh.net 172.31.17.144:8443; - keycloak-admin.ccchh.net 172.31.17.144:8444; + id.hamburg.ccc.de 172.31.17.144:8443; + keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; } server { diff --git a/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2 b/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2 index c7a97d5..34a9724 100644 --- a/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2 +++ b/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2 @@ -51,9 +51,9 @@ services: KC_DB_URL_HOST: db KC_DB_USERNAME: keycloak KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KC_DB_PASSWORD", create=false, missing="error") }} - KC_HOSTNAME: id.ccchh.net + KC_HOSTNAME: id.hamburg.ccc.de KC_HOSTNAME_STRICT_BACKCHANNEL: true - KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net + KC_HOSTNAME_ADMIN: keycloak-admin.hamburg.ccc.de KC_PROXY: edge ports: - "8080:8080" diff --git a/playbooks/templates/chaosknoten/configs/pad/compose.yaml.j2 b/playbooks/templates/chaosknoten/configs/pad/compose.yaml.j2 index 8c90eac..54de020 100644 --- a/playbooks/templates/chaosknoten/configs/pad/compose.yaml.j2 +++ b/playbooks/templates/chaosknoten/configs/pad/compose.yaml.j2 @@ -31,12 +31,12 @@ services: - "CMD_ALLOW_ANONYMOUS_VIEWS=true" - "CMD_DEFAULT_PERMISSION=limited" - "CMD_EMAIL=false" - - "CMD_OAUTH2_USER_PROFILE_URL=https://id.ccchh.net/realms/ccchh/protocol/openid-connect/userinfo" + - "CMD_OAUTH2_USER_PROFILE_URL=https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/userinfo" - "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username" - "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name" - "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email" - - "CMD_OAUTH2_TOKEN_URL=https://id.ccchh.net/realms/ccchh/protocol/openid-connect/token" - - "CMD_OAUTH2_AUTHORIZATION_URL=https://id.ccchh.net/realms/ccchh/protocol/openid-connect/auth" + - "CMD_OAUTH2_TOKEN_URL=https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token" + - "CMD_OAUTH2_AUTHORIZATION_URL=https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth" - "CMD_OAUTH2_CLIENT_ID=pad" - "CMD_OAUTH2_CLIENT_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/KC_SECRET", create=false, missing="error") }}" - "CMD_OAUTH2_PROVIDERNAME=Keycloak"