forked from OSC/ood-ansible
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathood_portal.yml
174 lines (147 loc) · 5.07 KB
/
ood_portal.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# This file holds all the defaults for the /etc/ood/config/ood_portal.yml
#
# See https://osc.github.io/ood-documentation/latest/reference/files/ood-portal-yml.html
# for more details on this file and it's configurations.
# When true this configuration will run the ood_portal_generator to generate the apache
# config files. When false, this role will generate an equivalent apache configuration.
ood_portal_generator: true
# Use this variable to define anything you need inside ood VirtualHost that
# isn't already there.
# Tip: Could be multi-line yml with | or >, so you could add new Location
# directives or a whole lot more.
#
# httpd_extra:
# httpd_listen_addr_port:
# - 80
# - 443
httpd_use_rewrites: true
maintenance_ip_whitelist: []
use_maintenance: true
# security_csp_frame_ancestors:
# security_strict_transport:
servername: localhost
# proxy_server:
httpd_port: 80
# ssl_cert: "/etc/pki/tls/certs/www.example.com.crt"
# ssl_cert_key: "/etc/pki/tls/certs/www.example.com.key"
# ssl_cert_chain: "/etc/pki/tls/certs/www.example.com.chain"
# ssl:
# - "SSLCertificateFile {{ ssl_cert }}"
# - "SSLCertificateKeyFile {{ ssl_cert_key }}"
# - "SSLCertificateChainFile {{ ssl_cert_chain }}"
httpd_auth:
- AuthType Basic
- AuthName "private"
- AuthUserFile "{{ apache_etc_dir }}/.htpasswd"
- RequestHeader unset Authorization
- Require valid-user
lua_root: "{{ ood_base_dir }}/mod_ood_proxy/lib"
lua_log_level: info
httpd_loggers:
- "LogLevel lua_module:{{ lua_log_level }}"
# httpd_error_log: 'error.log'
# httpd_access_log: 'access.log'
# httpd_logformat:
user_map_match: '.*'
# user_map_cmd: null
# user_env: REMOTE_USER
# map_fail_uri: /register
pun_stage_cmd: "sudo {{ ood_base_dir }}/nginx_stage/sbin/nginx_stage"
# pun_pre_hook_root_cmd: null
# pun_pre_hook_exports: null
# node_uri: '/node'
# rnode_uri: '/rnode'
host_regex: '[^/]+'
pun_uri: "/pun"
pun_socket_root: "/var/run/ondemand-nginx"
pun_max_retries: 5
nginx_uri: /nginx
root_uri: "{{ pun_uri }}/sys/dashboard"
nginx_app_root:
dev: "{{ ood_dev_app_dir }}/%{owner}/gateway/%{name}"
usr: "{{ ood_usr_app_dir }}/%{owner}/gateway/%{name}"
sys: "{{ ood_sys_app_dir }}/%{name}"
# analytics_url: "http://www.google-analytics.com/collect"
# analytics_id: "123-my-id"
httpd_public_uri: "/public"
httpd_public_root: "/var/www/ood/public"
logout_uri: "/logout"
logout_redirect: "/pun/sys/dashboard/logout"
# write the OIDC settings in the same file as the ood-portal configurations
# when using the ansible ood-portal.conf.j2 template
oidc_settings_samefile: false
# oidc_uri:
# oidc_discover_uri:
# oidc_discover_root:
# register_uri:
# register_root:
# # Apache for mod_auth_openidc, default undef
# ood_auth_openidc:
# OIDCSessionMaxDuration: 28888
# OIDCClientID: myid
# OIDCProviderMetadataURL: https://localhost/
# OIDCCryptoPassphrase: mycryptopass
# # ood-portal-generator oidc configurations
# oidc_provider_metadata_url: null
# oidc_client_id: null
# oidc_client_secret: null
# oidc_remote_user_claim: preferred_username
# oidc_scope: "openid profile email"
# oidc_session_inactivity_timeout: 28800
# oidc_session_max_duration: 28800
# oidc_state_max_number_of_cookies: "10 true"
# oidc_cookie_same_site: "On"
# oidc_settings: {}
# dex_settings: |
# dex:
# # Default based on if ssl key for ood-portal-generator is defined
# ssl: false
# # Only used if SSL is disabled
# http_port: "5556"
# # Only used if SSL is enabled
# https_port: "5554"
# # tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names
# tls_cert: null
# tls_key: null
# storage_file: /etc/ood/dex/dex.db
# grpc: null
# expiry: null
# # Client ID, defaults to servername or FQDN
# client_id: null
# client_name: OnDemand
# # Client secret, value auto generated
# # A value that is a filesystem path can be used to store secret in a file
# client_secret: /etc/ood/dex/ondemand.secret
# # The OnDemand redirectURI is auto-generated, this option allows adding additional URIs
# client_redirect_uris: []
# # Additional Dex OIDC clients to configure
# static_clients: []
# # The following example is to configure OpenLDAP
# # Docs: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md
# connectors:
# - type: ldap
# id: ldapg
# name: LDAP
# config:
# host: openldap.my_center.edu:636
# insecureSkipVerify: false
# bindDN: cn=admin,dc=example,dc=org
# bindPW: admin
# userSearch:
# baseDN: ou=People,dc=example,dc=org
# filter: "(objectClass=posixAccount)"
# username: uid
# idAttr: uid
# emailAttr: mail
# nameAttr: gecos
# preferredUsernameAttr: uid
# groupSearch:
# baseDN: ou=Groups,dc=example,dc=org
# filter: "(objectClass=posixGroup)"
# userMatchers:
# - userAttr: DN
# groupAttr: member
# nameAttr: cn
# frontend:
# theme: ondemand
# dir: /usr/share/ondemand-dex/web