Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

2025-08-29 15:06:26 +02:00 · 2025-07-08 23:43:13 +02:00
parent 6b87a049d4
commit 563d5fd528
1242 changed files with 2301 additions and 1355 deletions
--- a/roles/web-app-syncope/README.md
+++ b/roles/web-app-syncope/README.md
@@ -0,0 +1,35 @@
+# Syncope (DRAFT)
+
+## 🔥 Description
+
+[Apache Syncope](https://syncope.apache.org/) is a powerful and flexible open-source system for managing digital identities in enterprise environments. It offers Identity Governance and Administration (IGA) capabilities, including user provisioning, role management, auditing, workflow integration, and more. Syncope is designed to handle complex identity life cycles across multiple systems, both on-premise and in the cloud.
+
+This role deploys Apache Syncope using Docker Compose, automating the setup of its core services, database, and reverse proxy integration.
+
+## 📖 Overview
+
+Optimized for Archlinux, this role brings up a fully functional Syncope stack based on the official [Docker Compose samples](https://syncope.apache.org/docs/getting-started.html#docker-compose-samples). It includes all core components like Syncope Core, Console, and Enduser, with secure environment management and HTTPS integration.
+
+### Key Features
+- **Complete Identity Management:** Centralized user, group, and policy management.
+- **Extensible Architecture:** Integrates easily with external identity providers (LDAP, Active Directory, etc.).
+- **Modern Interfaces:** Provides REST APIs and web consoles for administrators and end-users.
+- **Open Standards Support:** SAML 2.0, OAuth 2.0, OpenID Connect, SCIM.
+
+## 🎯 Purpose
+
+The Syncope (Docker Deployment) role provides a fully automated environment for testing, development, or production setups of Apache Syncope, simplifying the complexities of IAM deployment.
+
+## 🚀 Features
+
+- **PostgreSQL Database Setup:** Integrated database management for Syncope.
+- **Syncope Core + Console + Enduser Deployment:** All critical services brought up automatically.
+- **Nginx Reverse Proxy with SSL:** Secured access with HTTPS termination.
+- **Credential and Secrets Management:** Handles sensitive user credentials securely.
+- **Customizable Paths and Environment:** Easy adjustment for your domain and access paths.
+
+## 🔗 Learn More
+
+- [Apache Syncope Official Website](https://syncope.apache.org/)
+- [Apache Syncope Documentation](https://syncope.apache.org/docs/)
+- [Identity Management (Wikipedia)](https://en.wikipedia.org/wiki/Identity_management)
--- a/roles/web-app-syncope/TODO.md
+++ b/roles/web-app-syncope/TODO.md
@@ -0,0 +1,2 @@
+# Todos
+- Implement this draft
--- a/roles/web-app-syncope/meta/main.yml
+++ b/roles/web-app-syncope/meta/main.yml
@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Apache Syncope is an open-source Identity and Access Management (IAM) system, offering centralized identity governance, user provisioning, role management, and workflow integration.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - docker
+    - syncope
+    - iam
+    - identity
+    - management
+    - nginx
+    - https
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
--- a/roles/web-app-syncope/tasks/main.yml
+++ b/roles/web-app-syncope/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+- name: "include service-rdbms-central"
+  include_role: 
+    name: service-rdbms-central
+
+- name: "include role for {{application_id}} to receive certs & do modification routines"
+  include_role:
+    name: webserver-composer
+
+- name: configure {{domain}}.conf
+  template: 
+    src:  "templates/proxy.conf.j2"
+    dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
+  notify: restart nginx
+
+- name: configure {{domain}}.conf
+  template: 
+    src:  "templates/proxy.conf.j2"
+    dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
+  notify: restart nginx
+
+- name: "create {{docker_compose.files.env}}"
+  template: 
+    src:  "database.j2" 
+    dest: "{{docker_compose.files.env}}"
+    mode: '770'
+    force: yes
+  notify: docker compose up
+
--- a/roles/web-app-syncope/templates/database.env.j2
+++ b/roles/web-app-syncope/templates/database.env.j2
@@ -0,0 +1,5 @@
+DB_URL={{ database_url_jdbc }}?stringtype=unspecified
+DB_USER=DB_URL={{ database_username }}
+DB_PASSWORD={{ database_password }}
+DB_POOL_MAX=20
+DB_POOL_MIN=5
--- a/roles/web-app-syncope/templates/docker-compose.yml.j2
+++ b/roles/web-app-syncope/templates/docker-compose.yml.j2
@@ -0,0 +1,38 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+   application: 
+     depends_on:
+       - db
+     image: apache/syncope:{{ applications[application_id].version }}
+     ports:
+       - "18080:8080"
+     restart: always
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+     environment:
+       SPRING_PROFILES_ACTIVE: docker,postgresql,saml2
+       OPENJPA_REMOTE_COMMIT: sjvm
+       SERVICE_DISCOVERY_ADDRESS: {{ domains | get_url(application_id, web_protocol) }}/{{syncope_paths[rest]}}/
+    # database variablen auslesen
+
+   console: 
+     depends_on:
+       - syncope
+     image: apache/syncope-console:{{ applications[application_id].version }}
+     ports:
+       - "28080:8080"
+     restart: always
+     environment:
+       SPRING_PROFILES_ACTIVE: docker,saml2
+       SERVICE_DISCOVERY_ADDRESS: {{ domains | get_url(application_id, web_protocol) }}/{{syncope_paths[console]}}/
+
+   enduser: 
+     depends_on:
+       - syncope
+     image: apache/syncope-enduser:{{ applications[application_id].version }}
+     ports:
+       - "38080:8080"
+     restart: always
+     environment:
+       SPRING_PROFILES_ACTIVE: docker,saml2
+       SERVICE_DISCOVERY_ADDRESS: {{ domains | get_url(application_id, web_protocol) }}/{{syncope_paths[enduser]}}/
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}
--- a/roles/web-app-syncope/templates/env.j2
+++ b/roles/web-app-syncope/templates/env.j2
@@ -0,0 +1,12 @@
+# Default variables
+
+KEYMASTER_USERNAME={{ syncope_anonymous_user }}
+KEYMASTER_PASSWORD={{ syncope_anonymous_password }}
+ANONYMOUS_USER={{ syncope_anonymous_user }}
+ANONYMOUS_KEY={{ syncope_anonymous_password }}
+KEYMASTER_ADDRESS={{ syncope_keymaster_address }}
+
+# Spring Boot Variables
+# @See https://docs.spring.io/spring-boot/docs/2.0.9.RELEASE/reference/html/boot-features-external-config.html
+SECURITY_ADMINUSER={{ syncope_administrator_user }}
+SECURITY_ADMINPASSWORD={{ syncope_administrator_password }}
--- a/roles/web-app-syncope/templates/proxy.conf
+++ b/roles/web-app-syncope/templates/proxy.conf
@@ -0,0 +1,22 @@
+server
+{
+  server_name {{domain}};
+
+  {% if applications | is_feature_enabled('oauth2',application_id) %}
+    {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
+  {% endif %}
+
+  {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
+  
+  {% if nginx_docker_reverse_proxy_extra_configuration is defined %}
+    {# Additional Domain Specific Configuration #}
+    {{nginx_docker_reverse_proxy_extra_configuration}}
+  {% endif %}
+
+  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+
+  {% for path in syncope_paths.values() %}
+    {% set location =  web_protocol ~ '://' ~ domains | get_domain(application_id) ~ '/' ~ path ~ '/' %}
+    {% include 'roles/webserver-proxy-core/templates/location/proxy_basic.conf.j2'%}
+  {% endfor %}
+}
--- a/roles/web-app-syncope/vars/configuration.yml
+++ b/roles/web-app-syncope/vars/configuration.yml
@@ -0,0 +1,12 @@
+#  syncope:
+#    version:         "latest"
+#    credentials:
+#     anonymous:
+#       password:     # Set in environment file
+#     database:
+#       password:     # Set in environment file
+#     administrator:
+#       password:       "{{ users.administrator.password }}"
+#     users:
+#       administrator:
+#         username:     "{{ users.administrator.username }}"
--- a/roles/web-app-syncope/vars/main.yml
+++ b/roles/web-app-syncope/vars/main.yml
@@ -0,0 +1,17 @@
+# General Configuration
+application_id:                 syncope
+database_type:                  "postgres"
+database_password:              "{{ domains | get_domain(application_id).credentials.database_password }}"
+
+# Application Specific
+syncope_keymaster_address:      http://localhost:8080/syncope/rest/keymaster
+syncope_paths:
+  rest:                         rest
+  console:                      console
+  enduser:                      enduser
+
+syncope_anonymous_user:         "{{ domains | get_domain(application_id).users.anonymous.username }}"
+syncope_anonymous_password:     "{{ domains | get_domain(application_id).credentials.anonymous.password }}"
+
+syncope_administrator_user:     "{{ domains | get_domain(application_id).users.administrator.username }}"
+syncope_administrator_password: "{{ domains | get_domain(application_id).credentials.administrator_password }}"