From 26411202baa57c9b24a8c35fcc1b73492a4b54a0 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 6 Nov 2023 11:16:24 +0100 Subject: [PATCH] Add docker environment --- environments/docker/files/ldap_cloud_ref | 323 +++++++++ environments/docker/group_vars/all.yml | 136 ++++ environments/docker/group_vars/bhr.yml | 6 + environments/docker/group_vars/client.yml | 12 + environments/docker/group_vars/lb.yml | 23 + environments/docker/group_vars/ldap.yml | 13 + environments/docker/group_vars/meta.yml | 12 + environments/docker/group_vars/sandbox1.yml | 3 + environments/docker/group_vars/sbs.yml | 48 ++ environments/docker/group_vars/vm.yml | 84 +++ environments/docker/group_vars/zabbix.yml | 83 +++ environments/docker/inventory | 99 +++ environments/docker/secrets/all.yml | 703 ++++++++++++++++++++ environments/docker/secrets/users.yml | 36 + environments/vm/group_vars/all.yml | 2 +- environments/vm/group_vars/vm.yml | 14 +- environments/vm/inventory | 7 - start-vm | 2 + 18 files changed, 1591 insertions(+), 15 deletions(-) create mode 100644 environments/docker/files/ldap_cloud_ref create mode 100644 environments/docker/group_vars/all.yml create mode 100644 environments/docker/group_vars/bhr.yml create mode 100644 environments/docker/group_vars/client.yml create mode 100644 environments/docker/group_vars/lb.yml create mode 100644 environments/docker/group_vars/ldap.yml create mode 100644 environments/docker/group_vars/meta.yml create mode 100644 environments/docker/group_vars/sandbox1.yml create mode 100644 environments/docker/group_vars/sbs.yml create mode 100644 environments/docker/group_vars/vm.yml create mode 100644 environments/docker/group_vars/zabbix.yml create mode 100644 environments/docker/inventory create mode 100644 environments/docker/secrets/all.yml create mode 100644 environments/docker/secrets/users.yml diff --git a/environments/docker/files/ldap_cloud_ref b/environments/docker/files/ldap_cloud_ref new file mode 100644 index 000000000..11b659ba7 --- /dev/null +++ b/environments/docker/files/ldap_cloud_ref @@ -0,0 +1,323 @@ +cn=@all,ou=Groups,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + businessCategory + uva.tag_uva + cn + @all + description + All CO members + displayName + All Members of UVA UCC research + member + uid=peter,ou=People,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + uid=roger,ou=People,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + uid=sarah,ou=People,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + objectClass + extensibleObject + groupOfMembers + uniqueIdentifier + 68983158-e314-4d49-98a5-f166285d7509 +cn=admin,dc=https://cloud,dc=services,dc=vnet + cn + admin + objectClass + organizationalRole + simpleSecurityObject + userPassword + changethispassword +cn=mail-mail,ou=Groups,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + cn + mail-mail + description + Provisioned by service Mail Services - Mail group + displayName + service_group_mail_name + objectClass + extensibleObject + groupOfMembers + uniqueIdentifier + 9267f1e2-93bd-4911-b8ff-0733b662e7a3 +cn=science,ou=Groups,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + cn + science + description + Science + displayName + Science + member + uid=roger,ou=People,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + objectClass + extensibleObject + groupOfMembers + uniqueIdentifier + 3dabb5b6-6076-4ac9-86cd-47a54cdcbbaa +cn=uva.research.@all,ou=Groups,dc=flat,dc=https://cloud,dc=services,dc=vnet + businessCategory + uva.tag_uva + cn + uva.research.@all + description + All CO members + displayName + All Members of UVA UCC research + mail + sarah@uva.org + member + uid=peter,ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet + uid=roger,ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet + uid=sarah,ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet + objectClass + extensibleObject + groupOfMembers + uniqueIdentifier + 68983158-e314-4d49-98a5-f166285d7509 +cn=uva.research.mail-mail,ou=Groups,dc=flat,dc=https://cloud,dc=services,dc=vnet + cn + uva.research.mail-mail + description + Provisioned by service Mail Services - Mail group + displayName + service_group_mail_name + mail + sarah@uva.org + objectClass + extensibleObject + groupOfMembers + uniqueIdentifier + 9267f1e2-93bd-4911-b8ff-0733b662e7a3 +cn=uva.research.science,ou=Groups,dc=flat,dc=https://cloud,dc=services,dc=vnet + cn + uva.research.science + description + Science + displayName + Science + mail + sarah@uva.org + member + uid=roger,ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet + objectClass + extensibleObject + groupOfMembers + uniqueIdentifier + 3dabb5b6-6076-4ac9-86cd-47a54cdcbbaa +dc=flat,dc=https://cloud,dc=services,dc=vnet + dc + flat + objectClass + dcObject + organizationalUnit + ou + flat +dc=https://cloud,dc=services,dc=vnet + dc + https://cloud + labeledURI + https://privacy.org pp + o + https://cloud + objectClass + dcObject + labeledURIObject + organization +dc=ordered,dc=https://cloud,dc=services,dc=vnet + dc + ordered + objectClass + dcObject + organizationalUnit + ou + ordered +o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + businessCategory + uva.tag_uva + description + University of Amsterdam Research - Urban Crowd Control + displayName + UVA UCC research + labeledURI + https://sbs.scz-vm.net/api/images/collaborations/e1881a37-4a70-4202-91d5-3acefbd223d6 logo + https://sbs.scz-vm.net/collaborations/2 sbs_url + mail + sarah@uva.org + o + uva.research + objectClass + extensibleObject + organization + top + uniqueIdentifier + 68983158-e314-4d49-98a5-f166285d7509 +ou=Groups,dc=flat,dc=https://cloud,dc=services,dc=vnet + objectClass + organizationalUnit + top + ou + Groups +ou=Groups,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + objectClass + organizationalUnit + top + ou + Groups +ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet + objectClass + organizationalUnit + top + ou + People +ou=People,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + objectClass + organizationalUnit + top + ou + People +uid=peter,ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet + cn + urn:peter + displayName + Peter Doe + eduPersonScopedAffiliation + member@sram.surf.nl + eduPersonUniqueId + urn:peter + givenName + n/a + mail + peter@example.org + objectClass + eduPerson + inetOrgPerson + person + voPerson + sn + n/a + uid + peter + voPersonStatus + active +uid=peter,ou=People,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + cn + urn:peter + displayName + Peter Doe + eduPersonScopedAffiliation + member@sram.surf.nl + eduPersonUniqueId + urn:peter + givenName + n/a + mail + peter@example.org + objectClass + eduPerson + inetOrgPerson + person + voPerson + sn + n/a + uid + peter + voPersonStatus + active +uid=roger,ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet + cn + urn:roger + displayName + Roger Doe + eduPersonScopedAffiliation + member@sram.surf.nl + eduPersonUniqueId + urn:roger + givenName + n/a + mail + roger@example.org + objectClass + eduPerson + inetOrgPerson + person + voPerson + sn + n/a + uid + roger + voPersonStatus + active +uid=roger,ou=People,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + cn + urn:roger + displayName + Roger Doe + eduPersonScopedAffiliation + member@sram.surf.nl + eduPersonUniqueId + urn:roger + givenName + n/a + mail + roger@example.org + objectClass + eduPerson + inetOrgPerson + person + voPerson + sn + n/a + uid + roger + voPersonStatus + active +uid=sarah,ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet + cn + urn:sarah + displayName + Sarah Cross + eduPersonScopedAffiliation + member@sram.surf.nl + eduPersonUniqueId + urn:sarah + givenName + n/a + mail + sarah@uva.org + objectClass + eduPerson + inetOrgPerson + ldapPublicKey + person + voPerson + sn + n/a + sshPublicKey + some-lame-key + uid + sarah + voPersonStatus + active +uid=sarah,ou=People,o=uva.research,dc=ordered,dc=https://cloud,dc=services,dc=vnet + cn + urn:sarah + displayName + Sarah Cross + eduPersonScopedAffiliation + member@sram.surf.nl + eduPersonUniqueId + urn:sarah + givenName + n/a + mail + sarah@uva.org + objectClass + eduPerson + inetOrgPerson + ldapPublicKey + person + voPerson + sn + n/a + sshPublicKey + some-lame-key + uid + sarah + voPersonStatus + active diff --git a/environments/docker/group_vars/all.yml b/environments/docker/group_vars/all.yml new file mode 100644 index 000000000..6d436a199 --- /dev/null +++ b/environments/docker/group_vars/all.yml @@ -0,0 +1,136 @@ +--- +ansible_ssh_common_args: > + -o StrictHostKeyChecking=false + -o UserKnownHostsFile={{playbook_dir}}/docker/known_hosts +ansible_ssh_user: "ansible" +ansible_ssh_private_key_file: "docker/ansible_key" + +secrets_file: "environments/vm/secrets/all.yml" +secrets_users_file: "environments/vm/secrets/users.yml" + +admin_email: "admin@{{base_domain}}" + +is_aws: false +experimental_features: true + +servers: + dns: + - 8.8.8.8 + search: + - vm.scz-vm.net + ntp: + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org + ping: + - "127.0.0.1" + +fake_hostnames: true +use_logserver: false + +use_fixed_cert: true +cert_dir: "/etc/ssl/scz" + +# onderstaande is breekbaar; ansible_default_ipv4 kan best een dhcp-ip zijn +# dat niet in de inventory is gedefinieerd. (afhankelijk van je configuratie +# van libvirt etc) +iprange: + vm: + - "172.20.1.0/24" + - "10.0.0.0/16" + - "192.168.121.0/24" + bastion: "172.20.1.1" + lb: "172.20.1.24" + #comanage: "172.20.1.21" + mgnt: "172.20.1.0/24" + internal: "172.20.1.0/24" + monitoring: "172.20.1.29/32" + +mail: + relay_host: "172.20.1.1" + relay_to: "mail.vm.{{base_domain}}" + relay_port: 1025 + relay_for: + - "{{iprange.mgnt}}" + domain: "{{base_domain}}" + admin_address: "root@{{base_domain}}" + admin_name: "Root User" + debug_address: "root@{{base_domain}}" + +org: + name: "SCZ-vm" + url: "https://sbs.scz-vm.net/" + +admin: + fn: "B." + sn: "Baas" + eppn: "admin@{{base_domain}}" + email: "{{admin_email}}" + sho: "{{base_domain}}" + +# versions +sbs_version: "branch+main" +plsc_version: "main" + +# poor man's user management +root: + pw_hash: "$6$rounds=500000$AtgwpGVMAm0fyIf$g4JqeEu8O//KsklaqIEJX6UnQgEtrMTrZdNcp/v/O/G75BjISGZINC\ + rJ0JREkKficMZV5IsdshT9cVACb0cxR1" +users: + - name: SCZ + uid: scz + groups: ['scz','sudo_test','sudo_mgnt','systemd-journal'] + # password 'scz' + pw_hash: "$6$rounds=500000$OOIfLX7bEQus$krZ/mSucwYN5dK25FlrvxmkMfUa4R585tXwihZFDWbXUVSJXymIeJpq\ + pRvP88TEgaNAXrKMD9qbWYvnSLeDOe." + sshkey: "" + +removed_users: [] + +firewall_v4_incoming: + - { name: bastion, src: "{{iprange.bastion}}", dport: "22,80,443", proto: tcp } + - { name: vnet, src: "{{iprange.internal}}", dport: "22,80,443", proto: tcp } + - { name: zabbix, src: "{{iprange.monitoring}}", dport: "10050", proto: tcp } + +backup_base: "/opt/backups" +backup_runparts: "{{backup_base}}/run.d" + +ssl_certs_dir: "/etc/ssl" + +services_ldap: + host: "{{ groups['ldap'][0] }}" + basedn: "dc=services,dc=vnet" + o: "Services" + binddn: "cn=admin,dc=services,dc=vnet" + +db_host: "db" +sbs_db_name: "sbs" +sbs_db_user: "sbs" + +sbs_client_id: sbs-server +sbs_base_url: "https://{{hostnames.sbs}}" + +# Redis +sbs_redis_host: "redis.vm.scz-vm.net" +sbs_redis_port: 6379 +sbs_redis_ssl: false + +# Docker ports +docker_ports: + sbs: 8321 + +# Enable SBS deploy +sbs_enabled: true +sbs_api_url: "https://{{ hostnames.sbs }}/" + +# No Zabbix on VM/Travis +zabbix_enabled: false + +journal_upload_host: "bhr.vm.scz-vm.net" + +zabbix_api_url: "https://bhr.vm.scz-vm.net:443/" +zabbix_api_user: "ansible_api" +zabbix_api_password: "geheim_api_password" +zabbix_server: "bhr.vm.scz-vm.net" +zabbix_validate_certs: no diff --git a/environments/docker/group_vars/bhr.yml b/environments/docker/group_vars/bhr.yml new file mode 100644 index 000000000..99ac7f876 --- /dev/null +++ b/environments/docker/group_vars/bhr.yml @@ -0,0 +1,6 @@ +--- +zabbix_templates_extra: + - "Zabbix server health" + +firewall_v4_incoming: + - { name: zabbix, src: "{{iprange.internal}}", dport: "10051", proto: tcp } diff --git a/environments/docker/group_vars/client.yml b/environments/docker/group_vars/client.yml new file mode 100644 index 000000000..144ecfaa6 --- /dev/null +++ b/environments/docker/group_vars/client.yml @@ -0,0 +1,12 @@ +--- +firewall_v4_incoming: + - { name: bastion, src: "{{iprange.bastion}}", dport: "22", proto: tcp } + - { name: loadbalancer, src: "{{iprange.lb}}", dport: "80", proto: tcp } + - { name: loadbalancer, src: "{{iprange.lb}}", dport: "{{idp_test_port}}", proto: tcp } + - { name: loadbalancer, src: "{{iprange.lb}}", dport: "{{sp_test_port}}", proto: tcp } + - { name: loadbalancer, src: "{{iprange.lb}}", dport: "{{oidc_test_port}}", proto: tcp } + - { name: loadbalancer, src: "{{iprange.lb}}", dport: "{{tfa_test_port}}", proto: tcp } + - { name: vnet, src: "{{iprange.internal}}", dport: "22,80,443", proto: tcp } + +# SimpleSAMLphp +simplesaml_project_dir: "/opt/simplesaml" diff --git a/environments/docker/group_vars/lb.yml b/environments/docker/group_vars/lb.yml new file mode 100644 index 000000000..3b2460cb5 --- /dev/null +++ b/environments/docker/group_vars/lb.yml @@ -0,0 +1,23 @@ +--- +enable_ipv6: true + +haproxy: + custom_dhparam: false + dhparam_keysize: 2048 + +http_hosts: + - "{{base_domain}}" + - "sbs.{{base_domain}}" + - "meta.{{base_domain}}" + +zabbix_templates_extra: + - "HAProxy by Zabbix agent" + +aclsync_interval_seconds: 30 + +firewall_v4_incoming: + - { name: bastion, src: "{{iprange.bastion}}", dport: "22", proto: tcp } + - { name: public_http, dport: "80", proto: tcp } + - { name: public_https, dport: "443", proto: tcp } + - { name: vnet, src: "{{iprange.internal}}", dport: "22,80,443,636", proto: tcp } + diff --git a/environments/docker/group_vars/ldap.yml b/environments/docker/group_vars/ldap.yml new file mode 100644 index 000000000..6efaf5b99 --- /dev/null +++ b/environments/docker/group_vars/ldap.yml @@ -0,0 +1,13 @@ +--- +firewall_v4_incoming: + - { name: bastion, src: "{{iprange.bastion}}", dport: "22", proto: tcp } + - { name: loadbalancer, src: "{{iprange.lb}}", dport: "389", proto: tcp } + - { name: loadbalancer, src: "{{iprange.lb}}", dport: "{{pam_clients_port}}", proto: tcp } + - { name: vnet, src: "{{iprange.internal}}", dport: "22,389", proto: tcp } + +pam_host: "0.0.0.0" +pam_clients_port: 8087 + +# LDAP services monitor +ldap_monitor_service: "https://cloud" +ldap_monitor_reference: "ldap_cloud_ref" diff --git a/environments/docker/group_vars/meta.yml b/environments/docker/group_vars/meta.yml new file mode 100644 index 000000000..a223b93db --- /dev/null +++ b/environments/docker/group_vars/meta.yml @@ -0,0 +1,12 @@ +--- +firewall_v4_incoming: + - { name: bastion, src: "{{iprange.bastion}}", dport: "22", proto: tcp } + - { name: loadbalancer, src: "{{iprange.lb}}", dport: "80", proto: tcp } + - { name: vnet, src: "{{iprange.internal}}", dport: "22,80,443", proto: tcp } + +metadata_project_dir: "/opt/metadata" +proxy_hostname: "meta.scz-vm.net" +metadata_registration_authority: "http://federatie.example.org/" + +metadata_proxy_frontend_source: "https://proxy.sram.surf.nl/metadata/frontend.xml" +metadata_proxy_backend_source: "https://proxy.sram.surf.nl/metadata/backend.xml" diff --git a/environments/docker/group_vars/sandbox1.yml b/environments/docker/group_vars/sandbox1.yml new file mode 100644 index 000000000..a504971f9 --- /dev/null +++ b/environments/docker/group_vars/sandbox1.yml @@ -0,0 +1,3 @@ +--- +# pam_websso needs pam-based challenge-reponse enabled in sshd +sshd_authn_CR: true diff --git a/environments/docker/group_vars/sbs.yml b/environments/docker/group_vars/sbs.yml new file mode 100644 index 000000000..f3b8ff869 --- /dev/null +++ b/environments/docker/group_vars/sbs.yml @@ -0,0 +1,48 @@ +--- +firewall_v4_incoming: + - name: loadbalancer + src: "{{lb_ip}}" + dport: "{{sbs_server_port}}" + proto: tcp + +sbs_urn_namespace: "urn:mace:surf.nl:x-sram-vm" +sbs_eppn_scope: "scz-vm.net" + +sbs_oidc_authz_endpoint: "https://{{ hostnames.oidc_op }}/authorization" +sbs_oidc_token_endpoint: "https://{{ hostnames.oidc_op }}/token" +sbs_oidc_userinfo_endpoint: "https://{{ hostnames.oidc_op }}/userinfo" +sbs_oidc_jwks_endpoint: "https://{{ hostnames.oidc_op }}/jwks.json" +sbs_oidc_redirect_uri: "https://{{ hostnames.sbs }}/api/users/resume-session" +sbs_oidc_sfo_endpoint: "https://{{ hostnames.oidc_op }}/sfo" +sbs_eduteams_continue_endpoint: "https://{{ hostnames.oidc_op }}/continue" +sbs_oidc_jwt_audience: "https://{{ hostnames.oidc_op }}" + +sbs_ldap_url: "ldap://ldap.scz-vm.net/dc=services,dc=vnet" +# entity_id will be replaced run-time in the client +sbs_ldap_bind_account: "cn=admin,dc=entity_id,dc=services,dc=vnet" + +sbs_db_tls_cert: "{{wildcard_backend_cert.pub}}" + +sbs_cron_hour_of_day: "4" +sbs_seed_allowed: True +sbs_api_keys_enabled: True +sbs_feedback_enabled: True +sbs_audit_trail_notifications_enabled: True +sbs_send_exceptions: False +sbs_send_js_exceptions: False +sbs_second_factor_authentication_required: True +sbs_totp_token_name: "SRAM-VM" +sbs_notifications_enabled: True +sbs_impersonation_allowed: True +sbs_admin_platform_backdoor_totp: True +sbs_past_dates_allowed: True +sbs_mock_scim_enabled: True +sbs_swagger_enabled: True + +sbs_mfa_idp_allowed: + - schac_home: "ci-runner.sram.surf.nl" + entity_id: "https://idp.scz-vm.net/saml/saml2/idp/metadata.php" + +sbs_ssid_identity_providers: + - schac_home: "ssid.org" + entity_id: "https://ssid.org" diff --git a/environments/docker/group_vars/vm.yml b/environments/docker/group_vars/vm.yml new file mode 100644 index 000000000..40af63489 --- /dev/null +++ b/environments/docker/group_vars/vm.yml @@ -0,0 +1,84 @@ +--- +sudo_groups: + - "sudo_test" +log_groups: + - "log_reader" + +ldap_admin_group: ldap_vm + +environment_name: vm +environment_string: "SCZ VM" +base_domain: "scz-vm.net" +internal_base_domain: "vm.scz-vm.net" + +# externally visible! +hostnames: + ldap: ldap.{{base_domain}} + meta: meta.{{base_domain}} + sbs: sbs.{{base_domain}} + oidc: oidc-test.{{base_domain}} + sp: sp-test.{{base_domain}} + idp: idp-test.{{base_domain}} + tfa: 2fa-test.{{base_domain}} + pam: pam.{{base_domain}} + oidc_op: oidc-op.{{base_domain}} + +idp_test_port: 8444 +sp_test_port: 82 +oidc_test_port: 83 +# metadata_backend_port: 443 +# sbs_backend_port: 90 +tfa_test_port: 91 +pam_backend_port: 92 +meta_port: 88 +oidc_op_port: 93 + +loadbalancer: + - name: "sbs" + hostname: "{{hostnames.sbs}}" + protocol: http + backend_hosts: "{{groups['vm_docker']}}" + backend_port: 443 + options: + httpchk: "GET /health" + - name: "meta" + hostname: "{{hostnames.meta}}" + protocol: http + backend_hosts: "{{groups['vm_docker']}}" + backend_port: 443 + - name: "client_oidc" + hostname: "{{hostnames.oidc}}" + protocol: http + backend_hosts: "{{groups['vm_client']}}" + backend_port: "{{oidc_test_port}}" + - name: "client_sp" + hostname: "{{hostnames.sp}}" + protocol: http + backend_hosts: "{{groups['vm_client']}}" + backend_port: "{{sp_test_port}}" + - name: "client_idp" + hostname: "{{hostnames.idp}}" + protocol: http + backend_hosts: "{{groups['vm_client']}}" + backend_port: "{{idp_test_port}}" + - name: "client_2fa" + hostname: "{{hostnames.tfa}}" + protocol: http + backend_hosts: "{{groups['vm_client']}}" + backend_port: "{{tfa_test_port}}" + - name: "client_oidc_op" + hostname: "{{hostnames.oidc_op}}" + protocol: http + backend_hosts: "{{groups['vm_client']}}" + backend_port: "{{oidc_op_port}}" + - name: "client_pam" + hostname: "{{hostnames.pam}}" + protocol: http + backend_hosts: "{{groups['vm_ldap']}}" + backend_port: "{{pam_backend_port}}" + - name: "client_ldap" + hostname: "{{hostnames.ldap}}" + protocol: ldap + frontend_port: 636 + backend_hosts: "{{groups['vm_docker']}}" + backend_port: 636 diff --git a/environments/docker/group_vars/zabbix.yml b/environments/docker/group_vars/zabbix.yml new file mode 100644 index 000000000..2129c3cba --- /dev/null +++ b/environments/docker/group_vars/zabbix.yml @@ -0,0 +1,83 @@ +--- + +# generic +zabbix_server_version: "5.4" +zabbix_web_version: "5.4" +zabbix_repo: "zabbix" + +zabbix_service_state: "started" +zabbix_service_enabled: true +zabbix_selinux: false + +zabbix_admin_password: "zabbix_geheim" + +# server +zabbix_server_install_recommends: false +zabbix_server_tlsconnect: "psk" +zabbix_server_tlsaccept: "psk" + +# database +zabbix_server_database: "mysql" +zabbix_server_database_long: "{{zabbix_server_database}}" +zabbix_server_mysql_login_unix_socket: "/var/run/mysqld/mysqld.sock" +zabbix_server_install_database_client: false +zabbix_database_sqlload: true +zabbix_server_dbname: "zabbix" +zabbix_server_dbuser: "zabbix" +zabbix_server_dbpassword: "zabbix_g3he1m" + +# web +zabbix_url: "bhr.vm.scz-vm.net" +zabbix_url_aliases: [] +zabbix_timezone: "Europe/Amsterdam" +zabbix_websrv: "nginx" +zabbix_web_conf_web_user: "root" +zabbix_web_conf_web_group: "zabbix-fpm" +zabbix_web_htpasswd: false +zabbix_web_allowlist_ips: [] + +# nginx +zabbix_nginx_vhost_port: "80" +zabbix_nginx_vhost_tls_port: "443" +zabbix_nginx_tls: true +zabbix_nginx_tls_crt: "/etc/ssl/zabbix_web.crt" +zabbix_nginx_tls_key: "/etc/ssl/zabbix_web.key" +zabbix_nginx_tls_dhparam: "/etc/ssl/dh_param.pem" +zabbix_nginx_tls_protocols: "TLSv1.3" +zabbix_nginx_tls_ciphers: "HIGH:!aNULL:!MD5" + +# php +zabbix_php_fpm_conf_user: "zabbix-fpm" +zabbix_php_fpm_conf_group: "zabbix-fpm" +zabbix_php_fpm_conf_mode: "0664" +zabbix_php_fpm_dir_etc: "/opt/zabbix/fpm/etc" +zabbix_php_fpm_dir_var: "/opt/zabbix/fpm/var" + +apache_additional_ports: + - "{{zabbix_apache_vhost_port}}" + - "{{zabbix_apache_vhost_tls_port}}" + + +zabbix_cert: + priv: | + -----BEGIN EC PARAMETERS----- + BgUrgQQAIg== + -----END EC PARAMETERS----- + -----BEGIN EC PRIVATE KEY----- + MIGkAgEBBDCpNgOQzC35kyal15OH1N71eiREqT53JUQOEOHjrQIgq268PeyRtYk8 + ZeTiXYnxnuqgBwYFK4EEACKhZANiAATSlg7zROf/KXqJO09IDos/D6T+gMhuFx9L + cJWiMwwlUxcK+E6FR81zWNkJEs53K+Ft7Rz4mH74BHvcHzGzsNyGhGzDEN6kqY/3 + 9UFp0PdN93OnfcDdVRl3D1cxG8FJizY= + -----END EC PRIVATE KEY----- + pub: | + -----BEGIN CERTIFICATE----- + MIIBpDCCASsCBS8Ohhc/MAoGCCqGSM49BAMCMD4xCzAJBgNVBAYTAk5MMQ0wCwYD + VQQKEwRTVVJGMREwDwYDVQQLEwhTZXJ2aWNlczENMAsGA1UEAxMEdGVzdDAeFw0y + MTA3MTMxNTExMzBaFw0zMTA3MTExNTExMzBaMD4xCzAJBgNVBAYTAk5MMQ0wCwYD + VQQKEwRTVVJGMREwDwYDVQQLEwhTZXJ2aWNlczENMAsGA1UEAxMEdGVzdDB2MBAG + ByqGSM49AgEGBSuBBAAiA2IABNKWDvNE5/8peok7T0gOiz8PpP6AyG4XH0twlaIz + DCVTFwr4ToVHzXNY2QkSzncr4W3tHPiYfvgEe9wfMbOw3IaEbMMQ3qSpj/f1QWnQ + 9033c6d9wN1VGXcPVzEbwUmLNjAKBggqhkjOPQQDAgNnADBkAjAdyOOH9P8+PRR3 + kSpv5jk3O6x2zoRN6NOfa7/eC1dttwsMyXfbILLydEiwWXdvYdwCMEwHgkj2p7R8 + NL98C0U7HSMA6goQHXavvKiDgcqxEfy77aGNvUps4a+mAdMnMBDdMA== + -----END CERTIFICATE----- diff --git a/environments/docker/inventory b/environments/docker/inventory new file mode 100644 index 000000000..cc38cb14b --- /dev/null +++ b/environments/docker/inventory @@ -0,0 +1,99 @@ +########################################## +# no managment machines for the VM +[mgnt:children] + +########################################## +# VM environment +[vm_lb] +lb.vm.scz-vm.net ansible_host=172.20.1.24 + +[vm_ldap1] +ldap1.vm.scz-vm.net ansible_host=172.20.1.20 + +[vm_ldap2] +ldap2.vm.scz-vm.net ansible_host=172.20.1.21 + +[vm_ldap:children] +vm_ldap1 +vm_ldap2 + +[vm_meta] +meta.vm.scz-vm.net ansible_host=172.20.1.23 + +[vm_client] +client.vm.scz-vm.net ansible_host=172.20.1.25 + +[vm_sandbox1] +sandbox1.vm.scz-vm.net ansible_host=172.20.1.26 + +[vm_sbs] +sbs.vm.scz-vm.net ansible_host=172.20.1.27 + +[vm_db] +db.vm.scz-vm.net ansible_host=172.20.1.28 + +[vm_bhr] +bhr.vm.scz-vm.net ansible_host=172.20.1.29 + +[vm_docker] +docker.vm.scz-vm.net ansible_host=172.20.1.31 + +[vm:children] +vm_lb +vm_ldap +vm_meta +vm_client +vm_sandbox1 +vm_sbs +vm_db +vm_bhr +vm_docker + +########################################## +# role-based groups +[lb:children] +vm_lb + +[ldap:children] +vm_ldap + +[ldap_primary:children] +vm_ldap1 +vm_docker + +[ldap_secondary:children] +vm_ldap2 + +[meta:children] +vm_meta + +[client:children] +vm_client + +[test:children] +vm_client + +[sandbox1:children] +vm_sandbox1 + +[sbs:children] +vm_sbs + +[db:children] +vm_db + +[bhr:children] +vm_bhr + +[zabbix:children] +vm_bhr + +[bhr2:children] +vm_bhr + +[docker:children] +vm_docker +########################################## +# all +[all:children] +vm diff --git a/environments/docker/secrets/all.yml b/environments/docker/secrets/all.yml new file mode 100644 index 000000000..1e9e2659b --- /dev/null +++ b/environments/docker/secrets/all.yml @@ -0,0 +1,703 @@ +--- +# Notice regarding the secrets in this file: +# Everything here should be used as examples only! +# So yes, this file contains secrets keys, but these are only used to +# test the build system, and not to actually story any non-public information + +services_ldap_password: "changethispassword" +# cn=admin,cn=Monitor password +monitor_ldap_password: "changethispassword" +test_organization_password: "changethispassword" + +# LDAP services monitor +ldap_monitor_password: "changethispassword" + +#Database setup +db_admin_user: "admin" +db_admin_password: "changethispassword" + +# password for fetching contacts list +tools_contacts_password: "tools_contacts_password_vm_secret" + +# SBS defaults to override +sbs_db_password: "changethispassword" +sbs_migration_password: "changethispassword" +sbs_db_secret: "changethispassword" +sbs_dbbackup_password: "sbs_backuppassword" +sbs_api_password: "changethispassword" +sbs_client_secret: "changethispassword" +sbs_sysread_password: "changethispassword" +sbs_sysadmin_password: "changethispassword" +sbs_ipaddress_password: "changethispassword" +sbs_tools_contacts_password: "sbs_tools_contacts_password" +sbs_redis_password: "changethispassword" + +sbs_api_users: + sysread: + password: "{{ sbs_sysread_password }}" + scopes: ["read"] + sysadmin: + password: "{{ sbs_sysadmin_password }}" + scopes: ["read", "write"] + haproxy_acl: + password: "{{ sbs_ipaddress_password }}" + scopes: ["ipaddress"] + tools_contacts: + password: "{{ sbs_tools_contacts_password }}" + scopes: ["read"] + +sbs_surf_secure_id: + environment: test.surfconext.nl + sp_entity_id: https://sbs.test.sram.surf.nl + acs_url: https://sbs.test.sram.surf.nl/api/users/acs + sa_gw_environment: sa-gw.test.surfconext.nl + sa_idp_certificate: "MIIE8jCCA1qgAwIBAgIUD4MpAowfeNTa8dEJpJtl2r6PRDwwDQYJKoZIhvcNAQELBQAwgYkxCzAJ\ + BgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MRUwEwYDVQQKDAxT\ + VVJGbmV0IEIuVi4xEzARBgNVBAsMClNVUkZjb25leHQxKjAoBgNVBAMMIXNhLWd3LnRlc3Quc3Vy\ + ZmNvbmV4dC5ubCAyMDIwMDIyODAeFw0yMDAyMjgxMTU1NTVaFw0yNTAyMjgxMTU1NTVaMIGJMQsw\ + CQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwM\ + U1VSRm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSowKAYDVQQDDCFzYS1ndy50ZXN0LnN1\ + cmZjb25leHQubmwgMjAyMDAyMjgwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC7tTZh\ + erxOI0uI9l4aDEdZHAZb2RwGehbfGyuTzzZqDqt42YC8MkJIa" + priv: | + -----BEGIN PRIVATE KEY----- + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBEAZ2GE4hLIuS + +7nQKtqKmQqOmYkjzDqmAza8WdRMKpRUTJ0Jb7gbUTuAkgOkZ8iaV2X+nS4ww4Nf + u9XtrNeTrT2yRFJpk7xsH3F6nuBMq1CeeZOPUH30nOJvGYw+NBa5UGObb9IGDGGc + p8hYXaPTEp8iVNhS29gteBqwZ0RNuC9i7Tkm2z3X/j345sGeE0iJw6bEKQ+rHdmD + 5Ks5uEZJp0Hk9sz1UzUBX7bWzOI1iyxV8UABIztHvObPeahnthD+alnufsV9EMIP + tNVPmR8MaNnoGzBS6voKmLBhYLVaBnlZadcnl1zhiTu5Juc4YIuJCXIaj4TBpKUI + R2dmQ6U5AgMBAAECggEBAJrgHi7SpKqcL4PECHXkStjwmLV4mblr9oiC/3/tmA9a + AQ/3Per6Anl3mwIzIFTdJOIbxqiQsyNPVK6R4rX9+Bpx2ZKOmIY1i+w49THnDgyz + ScM3yJYpfkGjMUrq9cRYyPn0cVOaSqOrfwrK1j99LxT+VUaXRcqCrlMbjF2DGho1 + hZcSF1CFBbm6rJyBs5fNzw8Bx76XFJZDr42QDeOPWw67bJnlw3gu0bF2PPQ6QmWv + txmNGX4fnUP3aZ/8vJhtP6DQJNLzQkkciDHDaWHf5MY2AfP6R9I4Xy+xEvLa99Qr + yDGhFGbJ332tcdr7aVATBiVhxsEcjnCelxZT0ZhGn5kCgYEA/Y6bkindMSpv0Og5 + 9saf7F8EuFn1KA1T6vT1rUHSliiLd9IQL/oNTyLc3U8r26EOPkiOXzSRqKs1iLlb + I28uJzrDO+qDK5te574cm+co67Bo92xCKJfHe2QM5zJjDBoguZFHdcDobhhuAzWg + 0jGJMWRDLTi//87//nxhU2EIXVcCgYEAwuw1nOLkIj7TbrcHdW+euNiErkY244eB + Y7fPANVZIINSDm7Ig5zTf6GlFrwnRR827zH+LOQXguoudyCdoCBS5UjAiXJyremH + xoTDcFZi53mrXzJyR1TruW7KfW1KGLP0c+arI+bzJpIeCZnAPWzXnS68zWxlIHBu + ri1XfDa95+8CgYEA68mBwhpMJzxfXtWVkXaDoTt7GDQPVn+OWiARllxviFOL3pDp + nLPbTIwO9354OnU62ZB/VOl9ymvsDIjRx9HMCY8LntwlvpdtWfPghtofo40ZD30M + yNLcHlKb7SNeGBLz+5yt50LM4hS1uSZVtyF5gwTJs3Pil+/W/sCLgQ3qyWECgYB+ + i4FG6Bo5jVYQk6y49g0ybga9aYIq9wbuaR9vqBKjw/2atxtgLok0XAnkl6RbAKfW + ZDtig3YsHMKrvjX3BeUrS68LzIxdEbZ/ECQdo0e0hU3XkNWWL7CVgzLceP5YyUOT + lxZWSZJj4Qq1KuceObJFLlmOd6ezhqqkU3Vvg86IawKBgHPjAFMY5OgutmJdKORb + c7W/QptfpIDUY1UqYwbFZ/GpObA/8ks1Aos/MuufEUzynECu0aR+/8srAJDnqPT7 + htUee1/Y8zjN2CPCacEgFqCi0CWSrGifnXWM9J8EPCC4ebSWyPyizM/J7ytgOn/O + 8LDqYI2jJNoduQk2AOYR1sbQ + -----END PRIVATE KEY----- + pub: | + -----BEGIN CERTIFICATE----- + MIIDGDCCAgACCQDQAlQLTxsyizANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJO + TDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDENMAsGA1UECgwE + U1VSRjEMMAoGA1UECwwDU0JTMB4XDTIyMDQyNTA4NTMwMVoXDTMyMDQyNDA4NTMw + MVowTjELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0 + cmVjaHQxDTALBgNVBAoMBFNVUkYxDDAKBgNVBAsMA1NCUzCCASIwDQYJKoZIhvcN + AQEBBQADggEPADCCAQoCggEBAMEQBnYYTiEsi5L7udAq2oqZCo6ZiSPMOqYDNrxZ + 1EwqlFRMnQlvuBtRO4CSA6RnyJpXZf6dLjDDg1+71e2s15OtPbJEUmmTvGwfcXqe + 4EyrUJ55k49QffSc4m8ZjD40FrlQY5tv0gYMYZynyFhdo9MSnyJU2FLb2C14GrBn + RE24L2LtOSbbPdf+PfjmwZ4TSInDpsQpD6sd2YPkqzm4RkmnQeT2zPVTNQFfttbM + 4jWLLFXxQAEjO0e85s95qGe2EP5qWe5+xX0Qwg+01U+ZHwxo2egbMFLq+gqYsGFg + tVoGeVlp1yeXXOGJO7km5zhgi4kJchqPhMGkpQhHZ2ZDpTkCAwEAATANBgkqhkiG + 9w0BAQsFAAOCAQEAjiwEKEUeGFuOoPlVAzfc+ecWqte2KLzEYSn1ath4MYMqE7rr + BIkeBEMg91geqJcfRLrJErp2PN+oNwhtKsKVYhAyYfVm0wxQQLLoJcqZC/Hizwzj + 4/vTV3sYG72qAP8NfJXvrNJwJz6F96YYYDFoVHf+HOXtPaOslAj99RXMVIjlArk4 + IrBJWoeKPZ5mC0EkRpJjhe2HCw/LaSnobHMK/V+0O8oW2k6qICYwVxgkkj0ln/Zg + qnw8pRdkC3qO0A7Vn+KViAwFrqGOl9y/0UHh6kPRgWXMgQl1cUAT8ZoCxqaOQ23Z + eN+wwugTwPdJVTJR5dSdTKIqWSdwkp/gDT3asQ== + -----END CERTIFICATE----- + +# NB: deze staat hier (in de globale namespace) en niet in sbs.yml +# omdat de client role deze ook gebruikt +sbs_admin_users: + - uid: "admin" # baas + +sbs_excluded_users: + - uid: "9bf251bf6cfa9eb8c75f15a90075fa7074eb3d48@acc.sram.eduteams.org" # BaZo + +https_cert: + # Note: this is a generic self-signed key for *.scz-vm.net + # This domain has no records or hosts defined, and will only ever be used + # for local testing. Therefore, publishing the private key does not have + # any security impact. + key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEAyHWotqbuvAyu72sGYLmL8X9ac4p5YjMOYBs9Yzbtx9/xLkh5 + o+wVgXE3I39bAmS+oTCqNs3Q2+EaQ64X8asIafhpspyHkWIbR/dDlM1kd7OqhCsL + xhDFbQDY71aEuGjSrKONZYcmjgcJv/W26T1PgTpMNH98eFOvKkq/PnpG1feOGrP0 + Hhec/VzVlx/taXkST39z3m+Gc+pYkBviGCEOmdF1UImIWBgsNwRM/jXY8NLQRT1B + tLvBrVMDjX5qX4RZk+Gp6VzCYr9Ro3oUh06ifXGU7yblmXhdLK048jDF3mCBQmZQ + fHeAFXkh4RNrormDcHJJMG+RwFfYrIB62BL3BQIDAQABAoIBAB3J9k9mUTXawKhN + hD4ddKFnpn5jBpTEN4+qnJ3AzOcV7VZOaN0mOS/qLiJ1S4X4iKeVfsX0IeR6+Bc0 + qNQ98VsmEjb7sd218Y3pPb7AIvzy0xUe/HnrhhsjtBklB0YMNbp394wt4Fncy+Md + 1Zelh8oRar+mbk3HSdGEGBVlwF8NTflhucQ8Zo528Fc1qr3NCKWgiu7yde3orz9s + gwRXh43Kckt3/ycqk1WHtlYYhobhH29aagRo7uc/Tv5HQD85GHVdI+13XWmmT9Rr + sqzIvyAbek/NfbqQFG2q3jdfbI3LTSf9w5oo6duLGyqVcDpLuCOKd/+Tbc8JXT1P + 7+luZWUCgYEA+8isSsdu0BpbGuU4kvUn0AIIEv5ShAuRCvszXonu56zSd3OxrqCh + y2houAY5tuy617OmhLq4F5jZ7Rj79E4HjMXwPS9wOBiOV9huryWhiyX19ZHsNRQb + qHrKMF7vnQvZ4o7fkUZV8OE3bwb4Fb4IoapZlCTfFF+9xocijA26p9cCgYEAy9D5 + Jc3WBJBt4BHfu05kfRZQK9E5nKUAPeLTlB6Y4Xg1AdxB2IeM0DRi3C7EyMpaNB7T + 7CNxRN+2F2LQCzqx7rpKqILY1C33ohwfh1SZ02wgvZX1s2/xq1FAYN0guXFMKTid + Y9EZpZZ9FiSBuYZF1WmbLVQ78ZNog68Z7MG3DIMCgYEAxJKRYPh/HV3WTxMyrhlU + ceOEJkAEcC8PmEEyg9awfJPC5Zuf1zR13Paw+ytxF82OuiT6Fpooa9PcIG3nF39s + CY3n1/0XYdRaHV9OWtPIYXjLpGO+xFnklg73l/gmnrfH7keZaDQ/mIZc3wPT4DWz + S3RR54U53RA6e6q5YBq/5ZUCgYBlOO/D2qpDsgcflUDsIU6+4OoIGOzn4vpvwcsa + cOe0cqLAvcbl5swES0Ad4gxRPE34PKc7S47hiclBbA2uxgPAcDzL29Ab8Ihftl/i + Mh4DZlwMTAGukBYR41R5xtiNwLr2beucuyhlmIufB5p1rT3Zc41hwcfTfkYVwEy7 + zKlASQKBgQDVgObZ6Y8qVwHjGwUqOZBm9XUJfbeKUFqVdbqjP9817/LRmiwlT3Xc + bErMN+/3yZyHhK062xYur6WLeVOzc6phUi7RoUrwMTWznrgiRChvw+U4UGgeUj5J + eVasMapDAMw5lbXO2jNFTY09jVuRiKSKpVcoCA+cKiKpTlVcX0Y2Pw== + -----END RSA PRIVATE KEY----- + cert: | + -----BEGIN CERTIFICATE----- + MIIDLjCCAhagAwIBAgIFLwhV65owDQYJKoZIhvcNAQELBQAwRDELMAkGA1UEBhMC + TkwxDTALBgNVBAoTBFNVUkYxETAPBgNVBAsTCFNlcnZpY2VzMRMwEQYDVQQDEwpz + Y3otdm0ubmV0MB4XDTIwMDMzMTEzMTQwMloXDTMwMDMyOTEzMTQwMlowRDELMAkG + A1UEBhMCTkwxDTALBgNVBAoTBFNVUkYxETAPBgNVBAsTCFNlcnZpY2VzMRMwEQYD + VQQDEwpzY3otdm0ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA + yHWotqbuvAyu72sGYLmL8X9ac4p5YjMOYBs9Yzbtx9/xLkh5o+wVgXE3I39bAmS+ + oTCqNs3Q2+EaQ64X8asIafhpspyHkWIbR/dDlM1kd7OqhCsLxhDFbQDY71aEuGjS + rKONZYcmjgcJv/W26T1PgTpMNH98eFOvKkq/PnpG1feOGrP0Hhec/VzVlx/taXkS + T39z3m+Gc+pYkBviGCEOmdF1UImIWBgsNwRM/jXY8NLQRT1BtLvBrVMDjX5qX4RZ + k+Gp6VzCYr9Ro3oUh06ifXGU7yblmXhdLK048jDF3mCBQmZQfHeAFXkh4RNrormD + cHJJMG+RwFfYrIB62BL3BQIDAQABoycwJTAjBgNVHREEHDAaggpzY3otdm0ubmV0 + ggwqLnNjei12bS5uZXQwDQYJKoZIhvcNAQELBQADggEBAH6K+xnMunHKuf93uQdU + xi1vC7RA1zI8GRHVb6d8kgM0fR2+hENp3iDyyJgav0A7Oj0qg0S5dosu088wm+qK + OFaP6pTB3eNjOFl+Ifn/mRuI/iInWkBIWQmcROf7Wt0QrcgchXD0Bibpmq4+TVjf + 2vhJiGGuPMIgVgkr/jtKuIO8suZk6PcXMJz3Di5ML9yjgHUgtnL5N7MV2fCvZp5I + 7LAIozSxoVcv3loANE7Yy2YXRnzSzOhbi7JKGvdY3SroQWemyDrqMnwsDGpcscSk + esChdJrOsT0i39GyOVn99BE30tUykkBDx9jZdtGFQER2cQtzB6KSnckkdQao9avk + FVw= + -----END CERTIFICATE----- + chain: "" + +backup_offsite_https_cert: + pub: "{{https_cert.cert}}" + priv: "{{https_cert.key}}" + +client_idp_users: + # baas/baas + baas: '{SHA256}/B8qagQ/Ek9twLaWgkzDY/WLFsyk0rsmEeHjwmVM3q8=' + # student/student + student: '{SHA256}JkyMOBvxbJgqTlmw3UxveAjFGgX2TDXbQsx4oqcodbs=' + # employee/employee + employee: '{SHA256}L9wBdwV9OlxsLAgh4B9PqNkPmju3r9grDbUmr5jWjeg=' + +# SAML signing cert for clients +client_saml_cert: + priv: | + -----BEGIN PRIVATE KEY----- + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDFKgHyzsPmuPw + 0cFblaoAv8Uo2za/+nxfcKqd8Pm1pNI1ePIZGbTahv6ktqz0O44z0k8k/3Glnb/c + UqO3fNcDXpAh8YJ6pX+GnS4+jizYi66i5KCDpLu15uGXccDyqDL8Lwd9UkBqKPVE + CWc5Cjf/OD/YjW5kaVugtjJ0qCiFfEAtwdWIbcrIBDXDAe+2XMy4RUT3dLH9i6Di + kzrVcxKXcVHNQrtEkKhSz5f/jXovIOGv3zhmS4ne/Xjh3CDLGO9p3pNqzoFBvOQb + JrrJx8HkfC+riHLVdHaq5kDz2BiKFO/JtuCTazcowjYgZ6Rov6eRiTQA/DcN87tw + kUH5hIc5AgMBAAECggEBAIQdmS6uFHGdFIIjjC/aTCf1uDDTRWD+4vw/8UzFxlee + KD7Oiic1oaXdhtdGYBuHueaep7sGxJDFJQqxbO73PSarBDH4vcUSECu6h3cWEokV + EFCBRbPh/L5UfrNx9ppgDyd7MjdNXRKIapKJS771jLbsAVFHd1vJfqR4v/MBb2/2 + Z01a9LPvIn8gotRTQ78I8i91KrSVUj5ZZ4j7phXbi2LDhABRmsr1UbhhFwWDgUwz + B0liDQCkezhE71/RzfFVGgCoFaTSy4IxRkxczYbF8aQ1TkirkL6a3r9I1BkEOSy4 + Q3KXB9hCIMx3G/Zzf24g1aoV8CJnVwd5nJENp96fb4ECgYEA4OoSXLtx0/MvVPEC + bvneXvuvqGx5cF6c0Wi5bhltL0erubdZ/hSYmgeMWo9sXh7MFVIYwTS6SXgU6OpO + jQTEfwVWlfOyzg8Uo9fE9792tEk7QP9qnUVDqORKPIOtQlC2gTpEFUTJJWxwYlwk + JyZKNcaiIi/McbT/voS7Aa9BrCcCgYEA3gsCVRe2nuSvxKUFFfLefadQ/Bgtmtb5 + qoxKHdhAwkh81YaOslFIjEbothv/G/kkg0wAqTJjr7eQqZhOvmR9WTIhm+/0G4tF + FmEUdjz2GnfGo7+IL2QC3GQBPCr/W5I7RSdh2IISJNjKTbCcJEl4j3IOmePgoLeK + wlnIQ7nibZ8CgYAbJycgWuDbHbjRIGeSzkeyX+BNDQt8LW/xOBtq11b/Jj/tI92R + dxsVPWQMatRCaKVqzYZ/jMYQqJadp+vjyneOfi592/XyOo/bV+lHn63NBipJJozQ + f9QzR5xOwfbg0q213Drr9mnyQq0ussEKmOzMoTZhujOMZrWZYpzRDz92cQKBgQDG + 5jG2q8FI4C2bBv9hQ+eNw11GFRp1A3EuFvElftuzrV81no0gqrNEBRjcWIPTOQA+ + JMzKw3qMovCRGwAeiMHILqHwn6eZLM48V8YOjFkgKH7lm+KQIRR2+5YnoZSRIJK7 + RaXeXdWG8DN4GGYmEzJNvKvbqkdDcGZ55hcAo/hynQKBgFgzZs+reOw6xQja5etv + ZBt+MKrQlFWgQPwR8qmWGWZ02wrR9XEP3QRny470WBpJ8NFfTOREvSikoi26qWn0 + HIqN1SZp6waSCRXQ1G+5npdG9Cpy0g1/kUVc1kcGgWwwYGOeeWYvGQrPMskpRmlo + UgcNlD/szshy7RRfuRW+2are + -----END PRIVATE KEY----- + pub: | + -----BEGIN CERTIFICATE----- + MIIDYDCCAkigAwIBAgIJANmp2CfNHjkZMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV + BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX + aWRnaXRzIFB0eSBMdGQwHhcNMTgwMjI2MTQ1OTA0WhcNMjgwMjI2MTQ1OTA0WjBF + MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 + ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAwxSoB8s7D5rj8NHBW5WqAL/FKNs2v/p8X3CqnfD5taTSNXjyGRm02ob+ + pLas9DuOM9JPJP9xpZ2/3FKjt3zXA16QIfGCeqV/hp0uPo4s2IuuouSgg6S7tebh + l3HA8qgy/C8HfVJAaij1RAlnOQo3/zg/2I1uZGlboLYydKgohXxALcHViG3KyAQ1 + wwHvtlzMuEVE93Sx/Yug4pM61XMSl3FRzUK7RJCoUs+X/416LyDhr984ZkuJ3v14 + 4dwgyxjvad6Tas6BQbzkGya6ycfB5Hwvq4hy1XR2quZA89gYihTvybbgk2s3KMI2 + IGekaL+nkYk0APw3DfO7cJFB+YSHOQIDAQABo1MwUTAdBgNVHQ4EFgQUCBFdf80k + xJ9JkJ48RqtpZvu1SrkwHwYDVR0jBBgwFoAUCBFdf80kxJ9JkJ48RqtpZvu1Srkw + DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAPpqZooSulmZdL1ps + i2m2XTR2kf4Mww3x9z3hUH9sR0+/2tuP7U9ODarSK6ac1YSE6/B3f/7nefwdMF9p + t78abBHLCpWsmUUXkaiGcMFH3CRliCuCBI/12K2Q8YxCCHXACdpYTkilmEIBdqRU + DAyqyeVt2u/YWgZualZx6yHIffPqG/iy7HVaffLy/W3DKwC9x12kHyUiTJzfZCeB + wI05NBtSpgXSuEopT1RjCbPey9YweOJ2jPJYtNmBOz65/PVm00WnRgjqwBmjzDQC + ticXKu1TjM0zKFF19VmlsX68x5L32v1BUz2r3W5SrvwNN//rxGrbVsMGmgup7eOc + XKaNuw== + -----END CERTIFICATE----- + + +# Satosa metadata signing key +satosa_metadata_cert: + priv: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDS7Ik3opUBaJXf + siOyJTQ9xd1vyiQpiyIZRXB5lB9Tcsqd31BswaU7eBT13Bsn2VUVRc/42sPDzMnq + fmy109C4CpIM3DatWTauBvU9WL75XQhqRJtOlA+lnJEQVa5XHbmxRXs7PmDhSWDz + qhkTBMzzyMOU+XV1C/sGEEoZ5CSpyO0bSAajzH+CQ71TOAqE3smflrggSvXH+DxR + 5/BpL8sYNFCJ3IUutlIni3mTnLe4uiKNVzlnBZ8fXlHf6lVWAIJFiNOqAjsa8QZr + 5jhXK4G0rkL9jfxhoVqwuNuIU374zVkXkRXvAXdLBWc25JrWkLVkBaQWUDox309L + NGcvI6gXAgMBAAECggEBANAQFKuU7XeeO3mWuC+bE5V8AZusw09XuCNFpFXKD7y5 + l7Vz/FnMC7pGEicVIJSGhq+dVjIdWs9izCtM2t/iOhnSE5AsCqOlRZMVugTx7jD9 + 3Lc3RhyVYXn0oASFAJ1e7TY5W/5s4hRZ1hGG0YU5TxOMD6J9EaiMUOsCVpaDvsbb + afwYv6gVUsXr9AjGHrygEAWZUiXEX0+rHEGrQ17XsKB9sW6EOlLUVk2cfOsFMRn0 + xPiqYdFzDAS4GdBDp7Zrf/MN7TTC7VECAO2mp+vOEqJzZiGBHAQYP/XlGUiw4zBg + HfSlNHxLp8vELuwxojpj+3ec6fQz5z/zEetHgueJH0ECgYEA9wNAsLbNvuDxIC7U + LPXPWh4ycjOcTOSCyoYxLyiYIGqA3DFok1CfRXhcO/vdsu+wf3NKaloy2xvVkGH9 + bACGelsk9UzgkdDpwc8LACyEK/Va8R0vJrGL2PEqP4tnzSYQ9wp7UiTZlrfHAVTE + 4bq9vRtrXQkPwpWXRXT6s+6GrYsCgYEA2pkkdzektW8+LEgt2rJjLVY1IqtNWka7 + YHLCrZI3vnoyewt7SoKCuQsbTejWMQtqAndpTWdHrBCySwqvtQ4PFpa7zyWpHQ+t + i3LqJmKDGZ46eyKVRPzz4Qv6o4lQg6lZhMjNwN6GZFTZ/uybiCX38rGeKvrCdxae + EmWRfZduGSUCgYEAiWS4xdJYbLSnylPh1sQ/OowTWSxV4vszuLydfPKic11qIZAl + 79LnVHfXLdIxhYcG8E1Ldg6HvRIlXzLyB/He2w35Z6wEOXcvnoqwPr+EIQNPO1AV + Wvtkox25dzDuYtCqnQ6qe41drhS4z4e8HyaExTwMIuqYZo5YXtzrWcvyA3MCgYBh + qBTQZb1hiMb/xWcm0pbYBDFMwbaW5A6Fsf8ix7W7lJ/EtIZp7RA1Vq7mCWTXGEBN + xcb3W3J7fiIIwEdq3VMERma0ziBU6VIggD/20f+7jCKYLAT/gvn4yf842/lqOFfT + qFmzFjZ30ChraIy7MCsq8wq0LL5/sU0A7vsmXmZDOQKBgQCGf/AZ9VcAaq9nKjkZ + 9ZUFDOHuxWF4qhppy6yNlfVlWiixjR1qqZWdHZ+GkMEkqPwKlbcLdiDPq1nAg5gp + UQXPiaFK+mLaO7+6uTMBsiX6BMZRtvdT7YQyoU6ADkB9AqZp3d72kZC0tlUZTXg+ + HeIbsb5+TNbh96K23NkZpH1qqw== + -----END PRIVATE KEY----- + pub: | + -----BEGIN CERTIFICATE----- + MIIDIDCCAgigAwIBAgIJALtj5xVgUd6/MA0GCSqGSIb3DQEBCwUAMCUxCzAJBgNV + BAYTAlhYMQowCAYDVQQIDAEgMQowCAYDVQQKDAEgMB4XDTE4MDIyNjE1MDE1NFoX + DTI4MDIyNjE1MDE1NFowJTELMAkGA1UEBhMCWFgxCjAIBgNVBAgMASAxCjAIBgNV + BAoMASAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS7Ik3opUBaJXf + siOyJTQ9xd1vyiQpiyIZRXB5lB9Tcsqd31BswaU7eBT13Bsn2VUVRc/42sPDzMnq + fmy109C4CpIM3DatWTauBvU9WL75XQhqRJtOlA+lnJEQVa5XHbmxRXs7PmDhSWDz + qhkTBMzzyMOU+XV1C/sGEEoZ5CSpyO0bSAajzH+CQ71TOAqE3smflrggSvXH+DxR + 5/BpL8sYNFCJ3IUutlIni3mTnLe4uiKNVzlnBZ8fXlHf6lVWAIJFiNOqAjsa8QZr + 5jhXK4G0rkL9jfxhoVqwuNuIU374zVkXkRXvAXdLBWc25JrWkLVkBaQWUDox309L + NGcvI6gXAgMBAAGjUzBRMB0GA1UdDgQWBBT4+xwD25C6fN6uR/QCsDF0eB7LxjAf + BgNVHSMEGDAWgBT4+xwD25C6fN6uR/QCsDF0eB7LxjAPBgNVHRMBAf8EBTADAQH/ + MA0GCSqGSIb3DQEBCwUAA4IBAQADuhzNzhPOcHE4AV889SKwZx0Sgmli900ECRRR + k5Wrn7W+QUfFn6I37DLxJu07Zac5xxWJE2glHfXxB2Bwyf0XjIBYDxjSFKNf7ziO + To/ZPvWdPtd+yWMZ+Fp45GInnTznmkckcNtzhQfUpCJ4rLmwzKdWCQNnk/AAHH6a + wBs+CbXzmXEGO7e0uk0m5i6INoO6Ij/8wty9XY+cCETPvCHUu99YZL0Bh8F/63UM + +gWYLIuYGBWmI1bu5l3j6A8Bu+4UFW5SJ1jNrnU9XnCOnJU5nH35qmE0IdctWPmx + EEQqzGJodBhxL7VNunP/pOHtpkRSOm2Jx7WQ1CliYOxVHT4p + -----END CERTIFICATE----- + + +# Satosa SAML signing keys +satosa_frontend_cert: + priv: | + -----BEGIN PRIVATE KEY----- + MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCmYtAVshhVQYB7 + GYo9YNq0SsVYEj1k/bgENRN84xCkaCHaTCvyiGKC3VmXLKeJg+7qYQhhsY3Ai3j+ + JFqjSSoZ6di34pgw3Vh8GuFcbexpf+k8bHgxW/pe8bmI/jLDl9SlfQmVWvqqKCM3 + 6zinWLHl1hpK/dqmbyqJPsTf0gSZtFZHINDBredqrq0kfpjyR7aoUjNeDd5fMglC + DyZd491JWTc6/zfExZ67zZtVdKrornADQPAla4RbS7DA8aD6YfHt15rdHbQnBnSP + +HAgcQ02R/BIeTmGhsYMioPpJzi31OJQYBGMa+gI3VUBhsFegtWK4YDaF721kZ0h + cpVUHzARAgMBAAECggEABll9AWbzgMVoJsp5uQ/qKLk1wL+pciIwlJCF9t0fdHa4 + 3ADOKIpF4CKcWaWNmzTauD0NudSxyShJbMFsaBDRt31yFMpj7nF0AABymzlirUAB + YZnuGEwfSOJGp1C0FTzFE6+q3vVC3Z18gpTKa7B50YCTLktzvag+YlBv6O612Du2 + zpzUOYgluHyYtq3r1+dcYZsAkzdK8ZtVQXS9x3Jl+g8FQnsvOaWg5MXl3auN1tu2 + S/7cdHQQ1PQmuFUlofRRnNKtH01R4aZAL1Xj/d+ljzGJBufGaGlJspNU1RrRsIbZ + ycQYwZAeNHtY49hl+NyhdNUJmfBeuV/h1UEPUcRZtQKBgQDXx5TKsUIE+wCoQXd8 + bAyVTE7TGuFzafXPhHi5YsHeABJG0bFEeHlR5tOlxeqJ2uLddChH0ejnh9sVeWoQ + lG6uwoYPPrB02v3G4pjJLJEXJqEql6PlHI1oskrHa08w478mwexR26s2T3zQi508 + 9JB6E4a9dBleQ2YZvL3qTVN83wKBgQDFZk0xHtDjFn4YNFaXRVB+gnX/65FT1che + glJvaxhvOGNcwhtQDXbtswO4ZOpLY2nNwJ82rOsxwaGRTRIPNfLls20wHLFMGFQ8 + gq6jzbtf6rCtsZHyByBaMYHRiGwqSb4UwBuqo6nkVJlkGG3IqSSVQHCFeT1144WR + ZxIqYQIBDwKBgBuT7nhZX06zpcnbVCIazSDnt8tTTC0sBbaX/7Xx4UU2TR+v/S/7 + FcZZ8gLl4KvtxcD3743+Tf4JZv6/ncawsdS0F94q7PKCapzYqR5NC94hmcePyeqm + U4xl/RivpldhRDT34/QyVxeB4TnmHhqER1LS3A2qoPNjOdFgRgWEDH+RAoGAenpy + FLMxGmV/UVdQDsXEHuqlemfYIPM5QmKL8XO6km+jPw900OO50dxLx6JduO7y2+XT + I6KAv7uLmtL+DJAFqL3+VmbHHxbNVUokP6BLzUSZ4PuXOVtwmGW1TaPesRJWLRvR + TrwDkpdnITMDEwjXmP+FkVtbZgUIf+I65C6ShsMCgYBWy0h6NUl8hQ6Qbplta04G + bboSPKX9J+LZUcXOu1vVxR4KoAVxerD2Uoi9e8dNDuQlpKipDTnWSVDYoQizNWb/ + MdwsKPHDbhO/abhlWl/TGkgo7tJ3ImxUE/NixqPIasUgMwuN2XOy3YJQcPLMEiy1 + 5qnkwKlfYbJHA812NHdwSw== + -----END PRIVATE KEY----- + pub: | + -----BEGIN CERTIFICATE----- + MIIDIDCCAgigAwIBAgIJAOu4gMd3M7LTMA0GCSqGSIb3DQEBCwUAMCUxCzAJBgNV + BAYTAlhYMQowCAYDVQQIDAEgMQowCAYDVQQKDAEgMB4XDTE4MDIyNjE1MDIzMloX + DTI4MDIyNjE1MDIzMlowJTELMAkGA1UEBhMCWFgxCjAIBgNVBAgMASAxCjAIBgNV + BAoMASAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmYtAVshhVQYB7 + GYo9YNq0SsVYEj1k/bgENRN84xCkaCHaTCvyiGKC3VmXLKeJg+7qYQhhsY3Ai3j+ + JFqjSSoZ6di34pgw3Vh8GuFcbexpf+k8bHgxW/pe8bmI/jLDl9SlfQmVWvqqKCM3 + 6zinWLHl1hpK/dqmbyqJPsTf0gSZtFZHINDBredqrq0kfpjyR7aoUjNeDd5fMglC + DyZd491JWTc6/zfExZ67zZtVdKrornADQPAla4RbS7DA8aD6YfHt15rdHbQnBnSP + +HAgcQ02R/BIeTmGhsYMioPpJzi31OJQYBGMa+gI3VUBhsFegtWK4YDaF721kZ0h + cpVUHzARAgMBAAGjUzBRMB0GA1UdDgQWBBQjliHlXaIerPEJquCiraqTOJ7uATAf + BgNVHSMEGDAWgBQjliHlXaIerPEJquCiraqTOJ7uATAPBgNVHRMBAf8EBTADAQH/ + MA0GCSqGSIb3DQEBCwUAA4IBAQARKD7AhvQcx7hHFJDrXyLQ+sdSh/zL33/fyXeT + 1qbjpMtke4BVfibCRJNs+cds4v6SPAxdgRobnpW9CeiBQRIoGfPmrdFu/q7IqaH1 + pQTVa0cgW0pzt6A4RrE6OUs2mNdKV8dvtEFwL7gt4iQLNdqflHDulMXK36BvJ5qR + 7QJljY64lwn15CtuGMIEdolMeK2RuKy+OceM7nkZUqlLJqEyJ7N5EynH82KIMCgk + 2TabDtFmIi8kTsSZ/tuFeRNs+lDduJpxnZPV/IFdHhjLTf1V6SUjZI95LcCWh0Nq + 2tWMfGVIoj03kC6YDaX8L6GNo4CmXM2eQV/UMCkEcCUkBMZf + -----END CERTIFICATE----- + +satosa_backend_cert: + priv: | + -----BEGIN PRIVATE KEY----- + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCnwRvRJjjQRgun + 4ZUelzyw3peyd0h1AwWtDm5bpF5GXB+V2WXZ39eDR+/avJ242cUvew8th+ahJavN + e5O/NHv1go6KDVxCJQIUf2bGdyC4Ykbqhv7fX3Zigs4WK0SbPiq6BSLSI5M/+YDT + 0kLyjQ0CAdU2wWCVTnI9N7YLr65mcSCvTNbadE5sBBHwjs/vyOEyWydFDroXbNpe + GTh32m8DlUkUQb7xjabYP+AL71ewPml3ata3PtDCfQoNfgcICg1gn1hy1kCqqCRl + khTTrnIQRwJNpOPHBR6vCkz+7ppYzVWi6dB4gm/7u6xX3d3lc409BQ9KEsKE28ho + 0mQQQ/GBAgMBAAECggEAK/Eypyua8DuY7AX0OMom9LGqDO6gBT6gav9/uvOoWkfh + YjBLNLIk0teyJZsIuZYZx+E1TZjuucGTakT3o7tMyTfEvLbZNt5Y2COzOUOVR5c+ + ukpYUwy/hvh6oWX+F6hGKuoTf/YfqT9jFplaPgzinmb6gdhPw2yEEjMYtaD0TxLg + ijulPDG7N/l2/f5sU78nt/+vIsyHaV76qBy9Gtzh9xpKZIaEjK7SzIU1Cte2DPKV + ZL7WstY27sZlF+Cn7U9/TfY8ax37V8jHUu0keIv3SMMvmouyvRV6yNWdVVOvByM4 + 4Ohi/mWogzTIaQTuErCOkLC1PGBi7WcOjTqxhdEAAQKBgQDQNjVpE3Ms97Agc1xa + SQIM63tcnZksiBfHg4Ft9L3YcTdDpRmcHBKVytFbdPhArrlJ1Uho/7zZtoUQaAv6 + QVh0Vu2zxfkWJba/IX8aV8VlAkIt6WkwbiehjgcS8czo30zbVIYAlNeQJXS/vwkh + imwEF2fUrKCpxZ+EjUtkY7KUAQKBgQDOQcOVr2YQ68fIZhOpK8mYkMniJhW1UVIu + JF+NrQAnJaM8pHRtKzxpqArsy9znyJ65E4oQCtqfTYDjI7ZDBxgBq7z4kRdY3s2H + oNoJiQMEERGiRnLjCj5+1tUsy4wDTR55QqozIlWTwZ568CreNlXw42oNCqtTXtt0 + c9poN4NdgQKBgQDAPazmzZyEIlUuQRU+DzajczC9fI2Wvjkmb1crjNNUaoQaIvAY + YRsPzumqRb+JCUnuz8xBlg5p/cmyMj8M2xSupixm1h17w2qN4oGWcv/AmWs9NMt4 + edyBn78MUNFfGf2+bLYlB0hYwRygheQKYeIFjQ7DIHhfCCaWnlbD5AFYAQKBgAhr + /wR5qP0/42R3Zo4dz5l/L/8f9vr0WxqvOYebbMosa0HqpSZgAZN+3RNWL6r3MiP0 + fEqzZsHidETSDHsoKv7GeGzd38otLs8+7ig9g/YCjGnH3qEOpgaf1wyBMzJfT8M7 + yZ9U45Go8kOq0tVH+rJfVtE5gk1hLizPHjfrLF4BAoGBAKqFtNSyMT5S49Me/3Ao + wfJBfs56POYw1wUtz36oUl3XMvBIrpOGcbkz4AVvYcuTc3jxL3x2y+cNjdSiL0z9 + IoC0NQMUaRawf4RSVX/h17UscxA/PYKl4bf0oE6L1ejsRKw9nb8gWuqQmAiowgPW + 4aTCUygPQK/iA8i+bAURqydF + -----END PRIVATE KEY----- + pub: | + -----BEGIN CERTIFICATE----- + MIIDTjCCAjagAwIBAgIJAIbqDargWdh4MA0GCSqGSIb3DQEBCwUAMDwxGjAYBgoJ + kiaJk/IsZAEZFgpzY3otdm0ubmV0MQwwCgYDVQQLDANTQ1oxEDAOBgNVBAMMB2Jh + Y2tlbmQwHhcNMTgwNTE1MTAwMzE2WhcNMTkwNTE1MTAwMzE2WjA8MRowGAYKCZIm + iZPyLGQBGRYKc2N6LXZtLm5ldDEMMAoGA1UECwwDU0NaMRAwDgYDVQQDDAdiYWNr + ZW5kMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp8Eb0SY40EYLp+GV + Hpc8sN6XsndIdQMFrQ5uW6ReRlwfldll2d/Xg0fv2ryduNnFL3sPLYfmoSWrzXuT + vzR79YKOig1cQiUCFH9mxncguGJG6ob+3192YoLOFitEmz4qugUi0iOTP/mA09JC + 8o0NAgHVNsFglU5yPTe2C6+uZnEgr0zW2nRObAQR8I7P78jhMlsnRQ66F2zaXhk4 + d9pvA5VJFEG+8Y2m2D/gC+9XsD5pd2rWtz7Qwn0KDX4HCAoNYJ9YctZAqqgkZZIU + 065yEEcCTaTjxwUerwpM/u6aWM1VounQeIJv+7usV93d5XONPQUPShLChNvIaNJk + EEPxgQIDAQABo1MwUTAdBgNVHQ4EFgQUfgf81jf+mw2zoL1qNJEAc2PTEpMwHwYD + VR0jBBgwFoAUfgf81jf+mw2zoL1qNJEAc2PTEpMwDwYDVR0TAQH/BAUwAwEB/zAN + BgkqhkiG9w0BAQsFAAOCAQEAVD6h/EABjHhYlNwKRNsmT7l7laYBETCTQnGBLpGd + 2Pq8myJK2JEcC2ohdTHxPjtcetP6FlyV4VEhQevL7SQp6dKOW+9OwjDpCt9Z68kW + 5+7uz3H+1gVlyI9+bdIFduUSMMBzai0yXWrO/R7OI0dkgYZHO+WwF330OAj1sCNE + 8qLkyEk4QDJ5CTvSydNCQKcueell0ZBIY7GXtARx9z/NSA9pEUPyVB/WPf7j/QRG + iQz6svdR01Es8/cX/x3KFR/xLs+gsGdFKjD0S6aCNbrzIIGUR9Uic+P3Tm/HBXWF + e4DP2nHvJyqySyT1sU52VfctCT/kY8iR6eyxw1zqvzsi7Q== + -----END CERTIFICATE----- + +# Wildcard backend cert *.vm.scz-vm.net +wildcard_backend_cert: + priv: | + -----BEGIN PRIVATE KEY----- + MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCNOUNTNLeed2/L + 7zuASntFKvgUK+Q/6lNCrBj1FgM2luxITFDacW0lmNtwY+zJZ9AFUek9O1V9peP+ + AXrYGJrwbs/VbWrt7hCo4Iv/AsiSyKpPPxoMhSmzu+uqzM+no4whZGDXLKtkF/OZ + CSMYciAD2zfQBxMSkqaD1196CwyBDw1EXVyln8F6XRyxHKDiF9Vw1oGS/SjvEMMF + CK3SVE+1ipp1D8+cL689c9HG1dmyi24mGAtVSIUneoMEG6C4AsWJzlwt98c5PRLn + WfHWy6KJmiYD9+w4efnqDUNdJDfMl4Us9p+eXzh4jYXATWXx477N9PtjJIq36rU/ + TYU4GwoPjV49uQDW+ORt0gN+8Qa3M0GmOtyH3nkoFZRRYSkecyH1B7jWWYxWvUUK + apkpMHVhtaWtlzELtrWLc5qqoZChEvA1G2+Wp7rdn0durrOAPTjYTUqMuLDb+gWl + iftfruZR/QpXhoWFB7gskkh7LeJphXxO99H3h4cYtfQJPYZzlS0CAwEAAQKCAYAU + 6+/SatPtEQqp7rYk6mPaumPoMRxub5uIHBDSdkFhm/hDObMcuYMO99dCjjstF0kV + EK56GMkwhRwCrFtzmimSBwiZOM2HlCY5rpJu5A2s2TeJ5/JG+o9UBjoCorb8wdjn + tYQ3PHHjsTywZk8htv6RM6/QDMxBiyJKE+UcInjmwcEYaLBqBQHXy+WNQ41+EUPY + pJ6rlP+0cwpBO6jsqPrqDS+WuhHqtJHEi9z/FP1cWxWlZRiAuO6pC5hPSnyD5jz/ + N6yY8T9VWrcxwbohg2ZkW2F3wEG2KOjC0c2b4SWnrnmH+zQw/tG73jt123eETf1y + mN12iZL6yZM7PJ0VmEVKKSY0Y8fuib5bs3B4xpD0PnD2AZSYu2ExT0IBZhEoH+FM + oxbP6jf0+sD8Odn1Locu8R4zGYx5kAm7Uy7dBjxFAGHb4qImBk0yrUO7hg+uvzSx + hEZi9cWQtg51TNTM53+KV4KmlfaC7iRHTuaEwETUl9KKUuaAlAfJPUO+e/Fcvq0C + gcEAvObaq9X1iZDs2G+PBJOIJhSbLVVpwjA5OonUl93rUSUWWhOeR136p2duyP54 + X0EyXIFHG8hoTfILeeaYYfV3jQasK0wGnE4suMKQ2qrfSLlcH/fn/3qcV3CzFGiA + XR9RlNKmUSN6Z3RtUQsvpbL9y97ycrbR3IgBj2squEClrDwwiFEcmAL73KDCUiLq + UWHJa8YjTvE1rYqgXFMqIe9OWXEaz4vzeHcj8seJTQfU/QsuD52D06hrzG9MzcfR + RmgfAoHBAL9i9mDVlYANRXMCA5pA9wlgvPxLaAEzcrLEoLE3LRwStsthCUwq6K9t + CRFwsdSecRx2QqAIOFeNZoobKdhMrZPj//JdCwsHnL+IkxgawraozG/3h2PsvLU1 + 0ADF3HTVvaQyxDxbipYQtSg5n3yRrmP4Xg7SxwrINKW1bZg56a89B/eOEvUjsuAg + 3aHPzttoW1bhmHuNuRQ8bFfQYLZsciNW4oeRLYowCvje+Z6O2NnbwXE6YQhou/kc + us2stsRJMwKBwQC1jftlZEKVcSDx9Ga0s0cLsopiS9FVvhuC063sOHJOjyKoeGqL + lRuvgY3MyCbRBkxs9CNv5HG7WIMHKkYTAGViuaMICg3gdJIvEXE/eTMZJm4Qm6fy + t9lDgSHc34Nf/RXfv4XyPfMLM69NUT7+NsYPB7xl3KhfGKjHOuzYIeoZW9AZdDvT + Lir7pdaeMsiaZy2707djzBkXLkFp+tRnwSTAeiCWkZ/zjC6UzIp96qUef3xJrc5h + w2G4HtDmhsHwtWkCgcBHHV6vXK3Qhx3nPjhYeQtSUL/of5yF1bgo9SdAsl/wroN9 + zvDFfKw5gyp7cISjnLwq90aKcIN/BOu1JaLG3Lci3PWd+TTBRHLaOMVvj4IKnW5Z + rICCgNUeAIDpyJvCTinJeZOxWdKFMHAgIklA4GEMhJ1upKORPhNR/7hZeCt9EhCD + zCb/L+Sno463MaCLpptKDUm7n03GVy1q8+L75hADUaWa+jcRwghRsYjPggTR7vZS + PH8RwNkYF7TR9/txtEECgcA6cUo+vJNR6+ivLZ4/hbo8anSSjiVf6SkWNmkgyx/P + DRjKRUbpESlrChI4LHJPPnGz51Anh+NpfaUm/ysK9hM4s8EH9jUsbM80/reaz4Cj + oi4jQ+kgXcCHRqBrzUijicr79wUBeTsqFrntSHv9ISgmhKACCTPPjPJlRQRiMnEB + g7EnncvAoJ54mXnF8+PW1Xl/qk5xc+50sAQy2p6BAW96MeF6xS8PFHTv7wM+m8oc + XWzEQ5ocvfe7LQmEvP5kg0Y= + -----END PRIVATE KEY----- + pub: | + -----BEGIN CERTIFICATE----- + MIIEmjCCAwKgAwIBAgIUObCzv7/MCagBgwp6pUw9VDiVwfcwDQYJKoZIhvcNAQEL + BQAwYDELMAkGA1UEBhMCTkwxFjAUBgNVBAoMDXZtLnNjei12bS5uZXQxFjAUBgNV + BAMMDXZtLnNjei12bS5uZXQxITAfBgkqhkiG9w0BCQEWEmluZm9Adm0uc2N6LXZt + Lm5ldDAeFw0yMjA5MjMxNDAxMjJaFw0zMjA5MjAxNDAxMjJaMGAxCzAJBgNVBAYT + Ak5MMRYwFAYDVQQKDA12bS5zY3otdm0ubmV0MRYwFAYDVQQDDA12bS5zY3otdm0u + bmV0MSEwHwYJKoZIhvcNAQkBFhJpbmZvQHZtLnNjei12bS5uZXQwggGiMA0GCSqG + SIb3DQEBAQUAA4IBjwAwggGKAoIBgQCNOUNTNLeed2/L7zuASntFKvgUK+Q/6lNC + rBj1FgM2luxITFDacW0lmNtwY+zJZ9AFUek9O1V9peP+AXrYGJrwbs/VbWrt7hCo + 4Iv/AsiSyKpPPxoMhSmzu+uqzM+no4whZGDXLKtkF/OZCSMYciAD2zfQBxMSkqaD + 1196CwyBDw1EXVyln8F6XRyxHKDiF9Vw1oGS/SjvEMMFCK3SVE+1ipp1D8+cL689 + c9HG1dmyi24mGAtVSIUneoMEG6C4AsWJzlwt98c5PRLnWfHWy6KJmiYD9+w4efnq + DUNdJDfMl4Us9p+eXzh4jYXATWXx477N9PtjJIq36rU/TYU4GwoPjV49uQDW+ORt + 0gN+8Qa3M0GmOtyH3nkoFZRRYSkecyH1B7jWWYxWvUUKapkpMHVhtaWtlzELtrWL + c5qqoZChEvA1G2+Wp7rdn0durrOAPTjYTUqMuLDb+gWliftfruZR/QpXhoWFB7gs + kkh7LeJphXxO99H3h4cYtfQJPYZzlS0CAwEAAaNMMEowKQYDVR0RBCIwIIINdm0u + c2N6LXZtLm5ldIIPKi52bS5zY3otdm0ubmV0MB0GA1UdDgQWBBQF1u+ZFSf2iyKf + l+Fj4Y9EXIu9PTANBgkqhkiG9w0BAQsFAAOCAYEAe60lfiT6HnVdJq5T6RlcsMIR + 5h6Fi6Lt1CAFoN/V9O7onDkdcyxr0i/ZDtzwt4a/r8dbiHq7/cidxUmPKQhiQExz + MxT9t81KupbrKCS9uGT+8dPPqWxSg+pQnrqOHyGtWyaCobGCkdLPyQxK5oRxJHj8 + srPmGEespBPkV4L84FA4zqXZYX/DZ26NbaaliNGGt+wciBvb3hPDUYEAGZED6CJP + hdeQ8kA1aE6M/s6V3Xh4f57z93x8yAt3HHurCuoeMAdgTWiukDFDFQ5vqX3W2zq6 + V+JFJwNZWydcISlXoe9a0jcWp6cqtJ+EkEabzFeDB8OLaEbDjJLFABbSOrfE0+KS + LRdrq7/gyS1n6/isMsewwbw0BlmfzdqoeUnG6al2e6CumBxcYqM2IvZSOApLvgAe + jKMN0L9sGHSTuhbUqVWGvPmCACzfX62v9fNqxYFA/hz97cxswvHnAwA/1IYiLH/Z + N4X/X1yBqoJ5mSNpyhRdbf5Y4skqSKixknIoa2Ct + -----END CERTIFICATE----- + +backup_collector_gpg_publickey: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mQGNBGCAOlUBDACj9u2Q+dKVKqRx0kSmJpc7oYEba/verwaHQqm86z9X/6jl+/Hj + Csvnmy+QfdvKiSCoY7ITfogincx32MSqf7kmxRo/1sne+B0aUqS8nRzlJExwCNz2 + SaoyOXaPzfqwuxFkqyq3vAO+HNQBntAN9XOrkm6eP8HVh8dat1pHNnV57YJggy0W + TJjDu7aoFyszsVxXfnSRmCzCzNemu2syq5bOC6A3coXfY8MURYay2nhK+ZbUJkdT + lV1j4/NMPheGk5mW8GvY8kuV25SM96nSBrPlIb8ON20XaLA38rNSzAmmQv+oYnH5 + cODJh+7WvRaBqleC9NR1SLlUNFcPB6DHfC8E/y/+ERyuyxYT+tHeE2a6xStaxqr8 + EBefBQgCGXpkRFDpE3Lq38KMQjqRTYn7tziBxkC71NbFtdiyOJRZKgMmfOp9wjbX + gNV05MTwEPsRlErq+hla3yVRn0TSUrQ4h0KGJH+bH7bxNIlsu5ZBoF65A1uXw49J + culsHCHnHI6dq4EAEQEAAbQnU0NaLXZtIEV4YW1wbGUgS2V5IDxzY3otYmVoZWVy + QHN1cmYubmw+iQHUBBMBCgA+FiEEVidRETXNP+Z4V1y68yaz4NUL77IFAmCAOlUC + GwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8yaz4NUL77LeEQv/ + XXTA4NCEkaWDE1AghlC5fe5Jbb1YpOVpFKk3Mb839mTzSLt+cbWraTXGak/QimV0 + ni3X0zoLtDCoCVDuEfcmgOJz/DkDnkE+OxhpPhQh+z86DCE8N64AxXnq2lUuW85k + O6uMOBO7KpK74tzuSCDTBSNTaxgSVbkiUYwEG1FkfCJJGLB6vXaGbbURvL79nlYJ + IFE4vj+3loGlqzUJw44y/Uy5ouOFsRdgBcRDGeRqI2jef2mDkkmg98uWJ8uOrDEC + 9MpPyK+TjUh99uplE0hO4/LT0C9Fr9vNiCmLfqZS0GeqP8qAxD4rYzAY+EJfbJcZ + u2vjT9Z21fShkLU71Jul+CGDI6c8/7r1lo80Ub+itJKs5i7mtyL/tPjDBFZ+Yimu + PpTBAZM6szo8KVdy+9qhCX7jCxCE3DYTZs0S53tgZ0v+3JSWrheONajfkhvoY6/6 + NhSMTJj7dDWm1FNJPzkgZ+Yj7XhXob24lJSj6ovhA+wBtHGtPf2LEmsCr0Xf3A9m + uQGNBGCAOlUBDADD5UT3Tex74Y7r0ZKUsVZ1j//vrRAz+6fw2aAkwefOFCwAjPWW + /BCoa6Gg/QpqSNYStUBhFCdJhs82h/rcp1LsF8dr+nTUqTlfg37gKIsr5W3Lm53g + wokI4v/7eg2Bs0kKZZEobYiSDyfc49bVHtw83wb3acjdx7k+WUuGcnOtw+bHaKUj + uJSsl8e7G8zuPE/OkG5CDqBKpnG8CzdNzuDJ/Cp87qV2DTyMJpuLQVTOOtKTuXHc + Pc7nuEKMPqfsfl+g79z6+2gZYPNZorojyLCJoUgq9wElqD0DiAt1zJN6SU5oxJDu + njpWZZlxjzQDxVw/unmPfQpelm/vdh/Mbcbdxr0mk1AqLShDLyjhTmgntk9pfB5Y + soVfZEyCCp+7WaHb7w87VtrxKr974T/yCws5SGDRqZKCkNalMhFUMSuzBAEGRVUK + IqBGyzluCnIQmD0mhXaM3hLL9pGJ088pfLXrQgZmtyGgGf8KxF76qEI9S6pczPL/ + PhJoiYZPxnWjwCkAEQEAAYkBvAQYAQoAJhYhBFYnURE1zT/meFdcuvMms+DVC++y + BQJggDpVAhsMBQkDwmcAAAoJEPMms+DVC++ywukL/iKDK+4wP2sDTT5ETsMjaAtt + zHp3vuSUkRkJxyVhkacaGJE8csmvpCpsb0/mchTimiwkODk0zSjBodN4UubKPUka + d9x3/ReskrsLhO5lpPy1t08FZ+wfjO55Zh2d9OiXQaorhqvgTTvMVLPpF500htWC + lmpYD7oJpyVid1BkSj6bNM6O+qiY6IcS4fJKV4LgAT039DfmPhsE/04Tc/iURCb8 + f2piEk4oOtHoRyvGVBY3+un8XTVX+XOTJirirWyLojYor31Y3kewB58v66beN3v5 + rw4ZzIUv+BmtQrh48dsFf2BsWRmvYRmlCTUQXViNaGmGqheJNTpull4vkhWz9r8Z + XsC/cOXysbyu5qsJDKtgQBoBWSeWWzXT/flwXtzLlwCcH19YH0rJYlQ9c2QUysZb + NTRahbM8bQG9xBcsr1qdzs6h3SbBTBnfRccgSVTeccs607Ao/ZCSDUL5xo06bfLG + V2BueJ3lDPM2vtO/zlEzZNBOojiWUEMOyMgqrhxQSQ== + =GOrn + -----END PGP PUBLIC KEY BLOCK----- + +backup_collector_gpg_privatekey: | + -----BEGIN PGP PRIVATE KEY BLOCK----- + + lQVYBGCAOlUBDACj9u2Q+dKVKqRx0kSmJpc7oYEba/verwaHQqm86z9X/6jl+/Hj + Csvnmy+QfdvKiSCoY7ITfogincx32MSqf7kmxRo/1sne+B0aUqS8nRzlJExwCNz2 + SaoyOXaPzfqwuxFkqyq3vAO+HNQBntAN9XOrkm6eP8HVh8dat1pHNnV57YJggy0W + TJjDu7aoFyszsVxXfnSRmCzCzNemu2syq5bOC6A3coXfY8MURYay2nhK+ZbUJkdT + lV1j4/NMPheGk5mW8GvY8kuV25SM96nSBrPlIb8ON20XaLA38rNSzAmmQv+oYnH5 + cODJh+7WvRaBqleC9NR1SLlUNFcPB6DHfC8E/y/+ERyuyxYT+tHeE2a6xStaxqr8 + EBefBQgCGXpkRFDpE3Lq38KMQjqRTYn7tziBxkC71NbFtdiyOJRZKgMmfOp9wjbX + gNV05MTwEPsRlErq+hla3yVRn0TSUrQ4h0KGJH+bH7bxNIlsu5ZBoF65A1uXw49J + culsHCHnHI6dq4EAEQEAAQAL/AhPqfchUrVQ9gj2+ZfaeOwC4cJ8FMZS5OfSTzxO + SGWzheIyhS5XC8LvsNeIKa34iXk/pHUsgsYObaDdkgp6cu4uK4h04MK2nPMKoWMW + K7LJxj4flOO/FCt7kjDz5fMzaExMCNxLYX0vhOeYHz+142kdARJwdOjX+xj0FlVp + w0as7WDrBUwOEehKCZY3pm72XJHqzQncRtiQ/ZVsBqEI5ZoIKNTmrzaFngvXAl7q + iBJ02FpknlT0S0mW8mw48YRW0ut2O2Kg+v2x8O/UJvmOrqZwMcDkNeRXDKhCHyRO + DskVFX6PiVuqItiihRmiCAKlRvre6jCXO74jHtohvs71eEAcCO5N7Zhazf54woy7 + gbkiQFv5q0TItTqcsei7CtD9hy4gfhORQCQBjToKKich5y6onOB8oA1W2OTcS8A4 + X7HPxYDinDFH98ol0HEURHx/vv7oeQ6ncSaAP8CON3CgPaNWQDvu94lJZrD19+mQ + eY77nwgNN4v7kjYa7aI0sHgyCQYAxvDGq8EHlkJbkv1zYhTTYUPwPUJegmdWeQxM + qMbBcFYyVXkyH1lFPIUOkY9ruYNmECqVGfnOFbTJxC2zTPM5eiEClAJ8YqqAwpdG + /q5CcqV5FRquiVUBaRzjn9MgxNP3xi7m1Jkf44dk5INKq8AuX2XGE+uRuQjaLeIN + UZ8yDe0wsHP/9gGMIyDBlwOAqILGJHOtgB3QMgPvVbEIPFeUZ0kdS7wIpkr3dm/1 + 4mdBQrJLUPuw8EOwKVIyXLW0Uz/rBgDS/gnoRVS+8t/Bo2D/dfH/t5IB+LIQsb7n + h1pNJUF+1fJ+wczIaCzUktkrMsfb71VPMgub7kHpDAlresK7ZleZBnpLyFp1F+zq + h67SmTNWJqvIDv30WdVgc24ZdHfUH2uA7wMQ7vYY9LC3eLNsAuIEzQSqkdcB+M4k + /2Z4MoKh7VT0Skc587i9/cOgNArrcH98H8cCU5x8vnRnXWUtYFzuAhoqdg/82ne7 + rW2MCxl/KjklAiiLMEmfe9Cg4QVgk0MGAKdEca/jmBhpwhuWZ0AKKYOFhOtR0OHg + B9T2z9WtHX5hHSlGLeDF+Rq6pzHpxePbRAHSZR6c5a024xzsey3fUrZemzz8B23w + gRPYjkC8MhQSwh1PwQS0qXZIVPaC5KG3WbE8ZWBERW1zx6iCldtL5ec3OCmrriUg + 1ay1hCKb2XbDprIGQkMsSUDQ2inTEwHAVBkfQeTqwgS9OzkaH1IQ5/kzpAMw7wTp + TAC95elkIsVPzbNO0pUg0WrEzt7Vx7XijeDqtCdTQ1otdm0gRXhhbXBsZSBLZXkg + PHNjei1iZWhlZXJAc3VyZi5ubD6JAdQEEwEKAD4WIQRWJ1ERNc0/5nhXXLrzJrPg + 1QvvsgUCYIA6VQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDz + JrPg1Qvvst4RC/9ddMDg0ISRpYMTUCCGULl97kltvVik5WkUqTcxvzf2ZPNIu35x + tatpNcZqT9CKZXSeLdfTOgu0MKgJUO4R9yaA4nP8OQOeQT47GGk+FCH7PzoMITw3 + rgDFeeraVS5bzmQ7q4w4E7sqkrvi3O5IINMFI1NrGBJVuSJRjAQbUWR8IkkYsHq9 + doZttRG8vv2eVgkgUTi+P7eWgaWrNQnDjjL9TLmi44WxF2AFxEMZ5GojaN5/aYOS + SaD3y5Yny46sMQL0yk/Ir5ONSH326mUTSE7j8tPQL0Wv282IKYt+plLQZ6o/yoDE + PitjMBj4Ql9slxm7a+NP1nbV9KGQtTvUm6X4IYMjpzz/uvWWjzRRv6K0kqzmLua3 + Iv+0+MMEVn5iKa4+lMEBkzqzOjwpV3L72qEJfuMLEITcNhNmzRLne2BnS/7clJau + F441qN+SG+hjr/o2FIxMmPt0NabUU0k/OSBn5iPteFehvbiUlKPqi+ED7AG0ca09 + /YsSawKvRd/cD2adBVgEYIA6VQEMAMPlRPdN7HvhjuvRkpSxVnWP/++tEDP7p/DZ + oCTB584ULACM9Zb8EKhroaD9CmpI1hK1QGEUJ0mGzzaH+tynUuwXx2v6dNSpOV+D + fuAoiyvlbcubneDCiQji//t6DYGzSQplkShtiJIPJ9zj1tUe3DzfBvdpyN3HuT5Z + S4Zyc63D5sdopSO4lKyXx7sbzO48T86QbkIOoEqmcbwLN03O4Mn8KnzupXYNPIwm + m4tBVM460pO5cdw9zue4Qow+p+x+X6Dv3Pr7aBlg81miuiPIsImhSCr3ASWoPQOI + C3XMk3pJTmjEkO6eOlZlmXGPNAPFXD+6eY99Cl6Wb+92H8xtxt3GvSaTUCotKEMv + KOFOaCe2T2l8HliyhV9kTIIKn7tZodvvDztW2vEqv3vhP/ILCzlIYNGpkoKQ1qUy + EVQxK7MEAQZFVQoioEbLOW4KchCYPSaFdozeEsv2kYnTzyl8tetCBma3IaAZ/wrE + XvqoQj1LqlzM8v8+EmiJhk/GdaPAKQARAQABAAv5AYSR4f1lx9U3qwAKe+W/1CnY + 7KQ77Fumrd5FCqYGGFlEOL8QFuSzHmGSuvbdHhf+01RNfLJ2J234nutJcYV0HGK4 + DSFVwhT1PhsrPIJrmsrI2RI/O56WkNQDhc6U/0RrPFG5SEbcm5EJUrLNbrsFoLQ7 + HN3TZi1d+29pyQquT3N0W45Icw4DFjQmmJ6FYZn8vlrjdm7k8cT6D2n4QdEhTZ+o + wIEK6PPI3HXynun/iCxF/Mor1bWZs0QIM27QRhD08G2dIYLY+37BWVf0ZsVFeW3j + W/VNUzgximggY1xCHiJx+SfRzZXGmCWcy4YL3mVSsisaoz6Vi9++DUiDiJlSMBv0 + COY2vYdTCfmVjOveYFSzbFIoioYikd9lFT3rX2ehz4TOcaTJaksETwZnAAYBMWpt + 0s94BNDahAb7zHX34rPR3Z6QKRQsrcQkAMNR6ja5VWapjzzw4n4vJmCkoUdthEnY + Y2KqhmDFp5TGIWG2aNlqXdr8kNTfemStRagVSzFBBgDTvVr+XluGZqK2gLfmZSu+ + kZr+HlB3O9zbdm1n6o7JmK/7DljjNIa9TsSIASuIrCVVBm+j6r4wxkCs5xGVJ8Mu + QZxvVGmBWQk9puon15t+J0+1cespLXw44L7mv+oUuGzelAEyC3ktB/W5m21TA/vq + cEnr1kO0G9No4sVPl1OAHSgzS0hjDF3SakoVYXOzaEKJwt/HJlkSGbLQ88Oqu6PN + zp7tZ/qNd0IhymTRo8Xau19xMImOrv44lso4EkFxfmkGAOzYEBhrc/j12L0KLlrG + NgW7UNwaaPT5S9kvGfKf20Jw78HWaFqokLX/P7iI4tShsogg/wvOjOxs6+Qy3JRA + 5DUVg8uDgniI1byjBjH9I0OBK/0PVcl+SgymqVt6fJjz3TpHJUphrMFQozhBdQFh + ZRSfYSHprESIf0UTB13yJp9aQpVD99MBf7aEO/rtL3sjSKWiDtxOgd9xxoRHHOwb + uror3kGlty90WH7zIe7Ph9ji+A/GQZkOeDJy7N1XL797wQX9HcSAqj+ZbXQFmqtD + 04ElaX5a1vP/adLyjO5peh28ZKRkyNLpcKKKv/lT4MbDnk6EOsu4iygbBctehnQb + 0VaOK3CsW6EsDJ08q+0bYkINR2UTAMmjH8XK6cDsvDWJSuIvXqtVelAhfN8jtcZc + H59q8lBHk6xzNUO7RIxroOjHdozmri0ibJS5TvDsqwyfbCGD36MqJFKTFrMgMKNe + eH5U2z+8shUppTnoANPzPfqeYLsrhTEfP5bJOvxos+a0crLV5nuJAbwEGAEKACYW + IQRWJ1ERNc0/5nhXXLrzJrPg1QvvsgUCYIA6VQIbDAUJA8JnAAAKCRDzJrPg1Qvv + ssLpC/4igyvuMD9rA00+RE7DI2gLbcx6d77klJEZCcclYZGnGhiRPHLJr6QqbG9P + 5nIU4posJDg5NM0owaHTeFLmyj1JGnfcd/0XrJK7C4TuZaT8tbdPBWfsH4zueWYd + nfTol0GqK4ar4E07zFSz6RedNIbVgpZqWA+6CaclYndQZEo+mzTOjvqomOiHEuHy + SleC4AE9N/Q35j4bBP9OE3P4lEQm/H9qYhJOKDrR6EcrxlQWN/rp/F01V/lzkyYq + 4q1si6I2KK99WN5HsAefL+um3jd7+a8OGcyFL/gZrUK4ePHbBX9gbFkZr2EZpQk1 + EF1YjWhphqoXiTU6bpZeL5IVs/a/GV7Av3Dl8rG8ruarCQyrYEAaAVknlls10/35 + cF7cy5cAnB9fWB9KyWJUPXNkFMrGWzU0WoWzPG0BvcQXLK9anc7Ood0mwUwZ30XH + IElU3nHLOtOwKP2Qkg1C+caNOm3yxldgbnid5QzzNr7Tv85RM2TQTqI4llBDDsjI + Kq4cUEk= + =j8Nr + -----END PGP PRIVATE KEY BLOCK----- + +# CA for journald +journal_ca: + priv: | + -----BEGIN PRIVATE KEY----- + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDq9SHYHZXoFghU + ChLXuG+6d+GrS56huK6fpj40DJXFiPQagujirwJFtp06yBQBuv/NT46deKHA3Wnk + E1woisOzkMUJqhFEy8pFf1gO4qlJUlQf6r+NTHaEl4z2fDRKLDVLDw4ysRAIgIkg + TKKIRvaKloe72A2pYX669JuVNygrPw+obK4izq46yV4OFVW4HjsW+BU+F/O1cOZX + P7ysIVcmHzyjObYjo0zgq0TZkBSxDjt5f6hR+oWYrOMFNO95JwzzD+u2uOh4Be0G + 6ESoomkav/tX4hzJkbQXDlgAGXEY/cXVSejhKCh4w+UYmihuDmM/4ofgaxtOvPxu + SYdy/i2HAgMBAAECggEBANUz/TMLnbTNEV+ZCIIhhZkSIX/7jYW4fRS3mKhIZzup + S8Am3EaeghRaYhAt8CGl22slbwcrqLPG9siUXMMZL/5oNrPPU/42YmRv6qsPOIgl + IdsYfBsusDkfADXGfPh1ZyKmFb8f9qmQYV4izDWXFy6o66AjrDnwEzx4rBlZxKR/ + xkz78EHYhcMO0Ed+OQY+9Uxq7Pc+JeT3WKyEsmb0wCNMHyolQEYDVYxKS1Ivdv6m + +fCC8rf0/ed6w8m4DLosSPHujW5bujcfI4A6A6M1ZxddguGAveQgBxF8stcg/OT2 + J5H0qZolfHnuHQ94/cU2b6QGyMirwCZKutv12Arj7KECgYEA/cflOTbq7a6wTB9O + PQN9z+akiqsGeGti/emY6i8AsZBY2vA2qzl2z4RigucL6vmeznMERydrjdgnRtyI + 0huQFEmC92ae7giocgIE1YOhLc5TEa4XIZNfiRjG5XGkLGntwFKK1/brnLWVoAuB + VkdFEca+Y9mXc3fNCeBpM2pz0rcCgYEA7QMZgxORTxnv+sjhdxtmDWhqm9/mM28E + rzJzcN8DTQOrjWeFkeO0ljEll/pmMlwpVmSgq7U7vo+sQculpr4YCC4XlnPECRW0 + OjsXfx5akS34kAIEL4PhTVfT6jH5q3kkEiG/AN84YWxcFvUguBbvdG0HsP0OlZU5 + wIM9kKvha7ECgYB3iuzQGa1qTqpfATQii319LED/zPYcTUFxJ9NPJNrnyX4Bi7vE + xinQMKUS0nELu4/x4b33InuIcnR17bZJepBQ7hvSHDXrHIr0QT0zsnB/GjyJDH96 + 4mfTNaejNvfFsBQ9TuR2PKrZw7N6k1DWanX/nKXcdQfhbWJZL6t+e7uZWwKBgEif + R4TrTP3w06CDRtqJEacQFIJ4g3/FB6lrCwZNvyQs+LbWPo4qOF5A5uT/e6r4pE3t + fXG/kXPdcAmlDbfezVxMSzv1ct7ZwKSLELMJqPSNInl1tLSecz2QqMU81OSetNe9 + cVoiC5OGcV0zdPgTRwHkmpO3pm1dERoU3JtknyixAoGBAPQ/Q5A+/HWo1JbNa9Y4 + etDNdely8vsyXtT9+iXkkVdUHGt9a5q75gJweD1j2KqXspKaQRmnfhh/Nvrufq3T + Q7C0cUNs0qBiFzhSRxrxlGdoC7wfwaNzxl1X+yN1JtLqKzlkwwB5ngAXYKcOv/pD + PZciyo1YrCISV3dSUg08Qveg + -----END PRIVATE KEY----- + pub: | + -----BEGIN CERTIFICATE----- + MIIDczCCAlugAwIBAgIUAi21kgLx+Su2fEv4qnof1IHvebwwDQYJKoZIhvcNAQEL + BQAwSTELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFNVUkYxDTALBgNVBAsMBFNSQU0x + HDAaBgNVBAMME1NSQU0gSm91cm5hbGxpbmcgQ0EwHhcNMjEwNDIyMDgzNTUyWhcN + MzEwNDIwMDgzNTUyWjBJMQswCQYDVQQGEwJOTDENMAsGA1UECgwEU1VSRjENMAsG + A1UECwwEU1JBTTEcMBoGA1UEAwwTU1JBTSBKb3VybmFsbGluZyBDQTCCASIwDQYJ + KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOr1IdgdlegWCFQKEte4b7p34atLnqG4 + rp+mPjQMlcWI9BqC6OKvAkW2nTrIFAG6/81Pjp14ocDdaeQTXCiKw7OQxQmqEUTL + ykV/WA7iqUlSVB/qv41MdoSXjPZ8NEosNUsPDjKxEAiAiSBMoohG9oqWh7vYDalh + frr0m5U3KCs/D6hsriLOrjrJXg4VVbgeOxb4FT4X87Vw5lc/vKwhVyYfPKM5tiOj + TOCrRNmQFLEOO3l/qFH6hZis4wU073knDPMP67a46HgF7QboRKiiaRq/+1fiHMmR + tBcOWAAZcRj9xdVJ6OEoKHjD5RiaKG4OYz/ih+BrG068/G5Jh3L+LYcCAwEAAaNT + MFEwHQYDVR0OBBYEFK0gzuIC9i1pTsZkVLKBkSoKOO+9MB8GA1UdIwQYMBaAFK0g + zuIC9i1pTsZkVLKBkSoKOO+9MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL + BQADggEBAFfskDrWP7S4X0GlcE0Qv4Jj+EisS+8ELfepgYtARmm31sbHPYWlnWy+ + Dka5NkId48ebBlNfZ0c+057UW6BDffAGoOhDM1ZFac2ON3Zq1xGRQkgDOrFuw9ZG + RLbgjVRId3caxD8eJLf27I3WwS9T02fkuJyWENPZJTLNp0ZgO/a08b1ZJA38+nIB + 2B4+D32mmorXEnQy3tdJ0MN9605f10wckuUh9WNo0dfEHOk/2IEMRDF62FQ93Zof + S9wywObuuNN+OqBnY/vwbx2PyToxSW5szqMsXwSlZVUQEXDs+WXc5hHHLhFiaQkR + yh0pHTzN4Q3CK1Tc/4Q4oxMdDeyHeZ4= + -----END CERTIFICATE----- + +# cert for journald receiver +journal_server: + priv: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6GIirWn/0ra4U + sgM+yELrG+eyvpoHD85sR6gPlCuaEbR+Y3QH/YAC1ds//+Ew4/C2mMTdtf2qd3Bn + Hn9q2dYZR8yjbSH7NpkWS5ctWOnePmmNUYzJXQ5OoIgbAh6JxvhTamnXaAx22OFz + WY6GScDNcbnb3AYHEWiEX9HpBhfvS7ahwkG7eKSEftGpDG6a88KLQzCB2tThQTdI + 4UL5S+JrJvhNmoXnWIZoyZPDMZyGezvefqVEoU8NFoLmoeClM1gGkGDequumFCV/ + PISEmYplErwmuGalx8K7mV/bA0WljEtIqi3C6fsX6EunDD/61iRz3+TqZDmQ2Kob + rtjQtBydAgMBAAECggEALwXkAuhrTLhWNISGrWaNAjua4F+pK/+ieVnh7Y3TNqsi + oI0g1KQJpK3FKPbPQDtYp8sSc7N41Yo4rNXX/Hfu0ZSC8QiyfXfeVvPiz2KYNcAv + i7X/jSIma1fFDI4MiWPte6Z3+CYigCVtUmheyy/3t/H0tMlz/HU5o7lSoT8Y7S4W + J23xTOyJwN2HRYxrcCdMdBweAquSUhcieUUTEcomlmm2UwgGMBevRpCK15mfdUqc + f1iph80ZUmBectsRRPwNFdhILEf1OCB+k4zOnXioKuwHMT//DiHmTy/4xQJAotds + K9zf93sqtUDFcotSkc3gDi4AsKMCjfCghVIZ1U/cAQKBgQDiPWwL/9V+AZtFbLN5 + pxTjsnyXiMBCyLt/TGCjEoqeHDzoZFOpkNhp819ciHkIDcVSnKv5qp7OPCZzHZQ8 + sXjveNlbhEb1SsbrMinXaqB0kMXy1vOqj8bmqUsZEBFt56xsUEcAex13Tm8IUVhe + YU4lP8OCRH46ZFfx+nGQoAZR8QKBgQDSk0TCzD4hmsTAYKZcJcqkDNUoc2P0U70N + j44JqHetLEgaWZiWtYNWHdu5dAkay6mEL+85kb62vrtdZrYEaj8zGSImrIGey8Eg + wyB+cSwyto3ODZ3lqyLsoG5O4Mmvl+gMbjrsqBcttIT4Vq4dAafgGW2IBJLXFu9O + LNLwBX3JbQKBgE6n7iWp147MfjA/35Ie/ctAJcMFX1qYsV9LrZlke98GkEJ3hwLA + Ag2r+G6SYAnlx8G2CLBvmnC3RuLk2MHVLeeMC32e2pCzY78nnJZxUsHUB44rH2Ig + RJWzLBHVnUmpry+lJVpMc20kTsQEjAWcLPAUYCOtLnmco1rUqKEQkcHxAoGAURhE + F9z+ZIStFwVhrAUl2C3U/WIK8XI6UXmiktedV0TBc9xjZk77CHQxRWeJhhc+7lhj + gcE+ODSWBa9jk6mzMyOPwmMW/Cet9ccPwYImKlWhoOQfle5lYcmbEaeCJKyUwgzF + hpRpcMGfn+AJ58PWefhw9TwFrO35NRsQFT2YJrUCgYEAtmJrQq3jjvhh91eHj9iD + VGi38FP1yyCoppfnWcsrWcMomvjZ3WI2LHUEi0G9sS2UlVpls9nqcroqnlvvmJP8 + EOSOiRRJzjkVIQtsXA3pFL1gNbdVIV7uCijRWf5CqCKLbvSrqQDfYXn9NTu24Mv0 + uhnSd7x1WOsa81cECoCcFZk= + -----END PRIVATE KEY----- + pub: | + -----BEGIN CERTIFICATE----- + MIIC2TCCAcECAQEwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCTkwxDTALBgNV + BAoMBFNVUkYxDTALBgNVBAsMBFNSQU0xHDAaBgNVBAMME1NSQU0gSm91cm5hbGxp + bmcgQ0EwHhcNMjEwNDIyMDgzNTUyWhcNMzEwNDIwMDgzNTUyWjAcMRowGAYDVQQD + DBFiaHIudm0uc2N6LXZtLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + ggEBALoYiKtaf/StrhSyAz7IQusb57K+mgcPzmxHqA+UK5oRtH5jdAf9gALV2z// + 4TDj8LaYxN21/ap3cGcef2rZ1hlHzKNtIfs2mRZLly1Y6d4+aY1RjMldDk6giBsC + HonG+FNqaddoDHbY4XNZjoZJwM1xudvcBgcRaIRf0ekGF+9LtqHCQbt4pIR+0akM + bprzwotDMIHa1OFBN0jhQvlL4msm+E2ahedYhmjJk8MxnIZ7O95+pUShTw0Wguah + 4KUzWAaQYN6q66YUJX88hISZimUSvCa4ZqXHwruZX9sDRaWMS0iqLcLp+xfoS6cM + P/rWJHPf5OpkOZDYqhuu2NC0HJ0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAj4tY + 6OdNm0VDZA0gcvu+y9MRyhHcpzEqGhCzETID4tqHTNlT3AD33CklXomY+Zd//InG + qz3MkIZipaKyFImX6Js5TwBo0/Op8wcWzaCZuzjgBGt3jdJ0687AjZqmwD+RGkFO + 1mkJhkQ44mYR/nQ+m5i579p6E/Fe0/SvgUbRStKaQCHr25devhZYx/jucYZ3qSR7 + F6lGrEw40Wz8j5hAD/GZHmAYFiy3MJ7RsrPom/6mN6rPmtwpadp+Amlom/8BKf+V + I/zhGURwkc42C8aa7+5WIQImlTfvk+ZZQXZYSjr73sOHMO74AR1hPnkys4wybZI3 + bCC8QXwOq9wiJb7fRg== + -----END CERTIFICATE----- + diff --git a/environments/docker/secrets/users.yml b/environments/docker/secrets/users.yml new file mode 100644 index 000000000..c28e4d31b --- /dev/null +++ b/environments/docker/secrets/users.yml @@ -0,0 +1,36 @@ +--- +role_to_groups: + adm: + - "adm" + - "log_reader" + ldap: + - "ldap_vm" + +users: + - name: "Admin user" + uid: "admin" + roles: + - "adm" + groups: + - "admin" + pw_hash: "$6$g/t0YFD/$HRlUhrl9FHvnuLo4X.vxd4i6RD5X.CGblsUaC15sk6PCTO74\ + s7ZmPr0VXIrJ5e.7fS9SXsz8OohexXBoP3iEd/" + sshkey: "ssh-rsa Dummy key@host" + - name: "Test User" + uid: "test" + roles: + - "adm" + groups: + - "test" + pw_hash: "$6$g/t0YFD/$HRlUhrl9FHvnuLo4X.vxd4i6RD5X.CGblsUaC15sk6PCTO74\ + s7ZmPr0VXIrJ5e.7fS9SXsz8OohexXBoP3iEd/" + sshkey: "ssh-rsa Dummy key@host" + - name: "Test User LDAP" + uid: "ldap" + roles: + - "ldap" + groups: + - "test" + pw_hash: "$6$g/t0YFD/$HRlUhrl9FHvnuLo4X.vxd4i6RD5X.CGblsUaC15sk6PCTO74\ + s7ZmPr0VXIrJ5e.7fS9SXsz8OohexXBoP3iEd/" + sshkey: "ssh-rsa Dummy key@host" diff --git a/environments/vm/group_vars/all.yml b/environments/vm/group_vars/all.yml index 6d436a199..d82b2d8a7 100644 --- a/environments/vm/group_vars/all.yml +++ b/environments/vm/group_vars/all.yml @@ -104,7 +104,7 @@ services_ldap: o: "Services" binddn: "cn=admin,dc=services,dc=vnet" -db_host: "db" +db_host: "{{ groups['db'][0] }}" sbs_db_name: "sbs" sbs_db_user: "sbs" diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 40af63489..0434fda46 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -26,8 +26,8 @@ hostnames: idp_test_port: 8444 sp_test_port: 82 oidc_test_port: 83 -# metadata_backend_port: 443 -# sbs_backend_port: 90 +metadata_backend_port: 88 +sbs_backend_port: 90 tfa_test_port: 91 pam_backend_port: 92 meta_port: 88 @@ -37,15 +37,15 @@ loadbalancer: - name: "sbs" hostname: "{{hostnames.sbs}}" protocol: http - backend_hosts: "{{groups['vm_docker']}}" - backend_port: 443 + backend_hosts: "{{groups['vm_sbs']}}" + backend_port: "{{ sbs_backend_port }}" options: httpchk: "GET /health" - name: "meta" hostname: "{{hostnames.meta}}" protocol: http - backend_hosts: "{{groups['vm_docker']}}" - backend_port: 443 + backend_hosts: "{{groups['vm_meta']}}" + backend_port: "{{ metadata_backend_port }}" - name: "client_oidc" hostname: "{{hostnames.oidc}}" protocol: http @@ -80,5 +80,5 @@ loadbalancer: hostname: "{{hostnames.ldap}}" protocol: ldap frontend_port: 636 - backend_hosts: "{{groups['vm_docker']}}" + backend_hosts: "{{groups['vm_ldap']}}" backend_port: 636 diff --git a/environments/vm/inventory b/environments/vm/inventory index cc38cb14b..ac2c11ea1 100644 --- a/environments/vm/inventory +++ b/environments/vm/inventory @@ -35,9 +35,6 @@ db.vm.scz-vm.net ansible_host=172.20.1.28 [vm_bhr] bhr.vm.scz-vm.net ansible_host=172.20.1.29 -[vm_docker] -docker.vm.scz-vm.net ansible_host=172.20.1.31 - [vm:children] vm_lb vm_ldap @@ -47,7 +44,6 @@ vm_sandbox1 vm_sbs vm_db vm_bhr -vm_docker ########################################## # role-based groups @@ -59,7 +55,6 @@ vm_ldap [ldap_primary:children] vm_ldap1 -vm_docker [ldap_secondary:children] vm_ldap2 @@ -91,8 +86,6 @@ vm_bhr [bhr2:children] vm_bhr -[docker:children] -vm_docker ########################################## # all [all:children] diff --git a/start-vm b/start-vm index a62c712ee..1b9964256 100755 --- a/start-vm +++ b/start-vm @@ -28,6 +28,8 @@ while getopts -- '-:h' OPT; do ci ) CI="--ci" ENV_DIR=./environments/ci ;; + docker ) ENV_DIR=./environments/docker + ;; skip-ansible | \ sa | no ) SKIP_ANSIBLE=1 ;;