OpenConext · mrvanes · Mar 19, 2026
diff --git a/roles/redis/defaults/main.yml b/roles/redis/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+redis: "{{ redis_defaults | combine(redis_overrides, recursive=true) }}"
+redis_defaults:
+  image: "docker.io/library/redis:7"
+  conf_dir: "{{ current_release_appdir }}/redis"
+  data_dir: "{{ current_release_appdir }}/redis/data"
+  user: redis
+  group: redis
+  redis_user: default
+  redis_password: changethispassword
+  max_memory: 100mb
diff --git a/roles/redis/handlers/main.yml b/roles/redis/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart redis container
+  community.docker.docker_container:
+    name: redis
+    state: started
+    restart: true
diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml
@@ -0,0 +1,61 @@
+---
+- name: "Create redis group"
+  group:
+    name: "{{ redis.group }}"
+    state: "present"
+  register: "result"
+
+- name: "Save redis group gid"
+  set_fact:
+    redis_group_gid: "{{ result.gid }}"
+
+- name: "Create redis user"
+  user:
+    name: "{{ redis.user }}"
+    group: "{{ redis.group }}"
+    comment: "User to run SRAM Redis service"
+    shell: "/bin/false"
+    password: "!"
+    home: "{{ redis.conf_dir }}"
+    create_home: false
+    state: "present"
+  register: "result"
+
+- name: "Save redis user uid"
+  set_fact:
+    redis_user_uid: "{{ result.uid }}"
+
+- name: "Create directories"
+  file:
+    path: "{{item.path}}"
+    state: "directory"
+    owner: "{{ redis.user }}"
+    group: "{{ redis.group }}"
+    mode: "{{item.mode}}"
+  with_items:
+    - { path: "{{redis.conf_dir}}", mode: "0755" }
+    - { path: "{{redis.data_dir}}", mode: "0755" }
+
+- name: "Create redis config"
+  template:
+    src: "redis.conf.j2"
+    dest: "{{ redis.conf_dir }}/redis.conf"
+    owner: "{{ redis.user }}"
+    group: "{{ redis.group }}"
+    mode: "0644"
+  notify: "Restart redis container"
+
+- name: "Create redis container"
+  community.docker.docker_container:
+    name: "redis"
+    image: "{{ redis.image }}"
+    restart_policy: "always"
+    state: "started"
+    user: "{{ redis_user_uid }}:{{ redis_group_gid }}"
+    command: |
+      redis-server /usr/local/etc/redis/redis.conf
+    volumes:
+      - "{{ redis.conf_dir }}:/usr/local/etc/redis"
+      - "{{ redis.data_dir }}:/data"
+    networks:
+      - name: loadbalancer
diff --git a/roles/redis/templates/redis.conf.j2 b/roles/redis/templates/redis.conf.j2
@@ -0,0 +1,3 @@
+user {{redis.redis_user}} on +@all ~* &* >{{redis.redis_password}}
+maxmemory {{ redis.max_memory }}
+maxmemory-policy allkeys-lru
diff --git a/roles/redis/vars/main.yml b/roles/redis/vars/main.yml
@@ -0,0 +1 @@
+current_release_appdir: /opt/openconext
diff --git a/roles/sbs/defaults/main.yml b/roles/sbs/defaults/main.yml
@@ -0,0 +1,159 @@
+---
+sbs: "{{ sbs_defaults | combine(sbs_overrides, recursive=true) }}"
+sbs_defaults:
+  openidc_timeout: 86400
+  sram_conf_dir: "{{ current_release_appdir }}/sram"
+
+  work_dir: "{{ sram_conf_dir }}/sbs"
+  git_dir: "{{ sbs.work_dir }}/sbs"
+  env_dir: "{{ sbs.work_dir }}/sbs-env"
+  conf_dir: "{{ sbs.work_dir }}/config"
+  log_dir: "{{ sbs.work_dir }}/log"
+  cert_dir: "{{ sbs.work_dir }}/cert"
+  apache_conf: "{{ sbs.work_dir }}/sbs.conf"
+  nginx_conf: "{{ sbs.work_dir }}/nginx.conf"
+
+
+  db_name: "sbs"
+  db_user: "sbsrw"
+  dbbackup_user: "sbs_backupper"
+  migration_user: "sbs_migrater"
+
+  db_connection: "\
+    mysql+mysqldb://%s:%s@{{ mariadb_host }}/{{ sbs_db_name }}\
+    ?ssl=true&charset=utf8mb4"
+  db_connection_sbs: "{{ sbs_db_connection | format(sbs_db_user, sbs_db_password) }}"
+  db_connection_migration: "\
+    {{ sbs_db_connection | format(sbs_migration_user, sbs_migration_password) }}"
+
+  redis_host: redis
+  redis_port: 6379
+  redis_ssl: false
+  redis_user: default
+
+  mail_host: "{{ mail.relay_to }}"
+  mail_port: "{{ mail.relay_port }}"
+
+  user: "sbs"
+  group: "sbs"
+
+  session_lifetime: 1440
+  secret_key_suffix: ""
+
+  oidc_crypto_password: "CHANGEME"
+  uid_attribute: "sub"
+
+  disclaimer_color: "#a29c13"
+  disclaimer_label: wsgi
+
+  urn_namespace: "urn:example:sbs"
+  eppn_scope: "sbs.example.edu"
+  restricted_co_default_org: "example.org"
+
+  mail_sender_name: "SURF"
+  mail_sender_email: "no-reply@localhost"
+  exceptions_mail: "root@localhost"
+
+  support_email: "sram-support@localhost"
+  admin_email: "sram-beheer@localhost"
+  ticket_email: "sram-support@surf.nl"
+  eduteams_email: "eduteams@localhost"
+
+  wiki_link: "https://www.example.org/wiki"
+
+  backend_port: 8080
+  num_workers: 2
+
+  cron_hour_of_day: 4
+  seed_allowed: True
+  api_keys_enabled: True
+  feedback_enabled: True
+  audit_trail_notifications_enabled: True
+  send_exceptions: False
+  send_js_exceptions: False
+  second_factor_authentication_required: True
+  totp_token_name: "SRAM-example"
+  notifications_enabled: True
+  invitation_reminders_enabled: True
+  invitation_expirations_enabled: True
+  open_requests_enabled: True
+  scim_sweep: False
+  impersonation_allowed: True
+  admin_platform_backdoor_totp: True
+  past_dates_allowed: True
+  mock_scim_enabled: True
+  log_to_stdout: True
+
+  delete_orphaned: True
+  suspension_inactive_days: 365
+  suspension_reminder_days: 14
+  suspension_notify_admin: False
+
+  oidc_config_url: "http://localhost/.well-known/openid-configuration"
+  oidc_authz_endpoint: "http://localhost/OIDC/authorization"
+  oidc_token_endpoint: "http://localhost/OIDC/token"
+  oidc_userinfo_endpoint: "http://localhost/OIDC/userinfo"
+  oidc_jwks_endpoint: "http://localhost/OIDC/jwks.json"
+  oidc_redirect_uri: "https://sbs.scz-vm.net/api/users/resume-session"
+  mfa_idp_allowed: false
+  eduteams_continue_endpoint: "https://localhost/continue"
+  eb_continue_endpoint: "https://engine.(.*)surfconext.nl(.*)"
+  oidc_jwt_audience: "https://localhost"
+  continue_eduteams_redirect_uri: "https://localhost/continue"
+  oidc_verify_peer: False
+  oidc_scopes:
+    - openid
+
+  manage_base_enabled: False
+  manage_base_url: "https://manage.test2.surfconext.nl"
+  manage_sram_rp_entity_id: "sbs.test2.sram.surf.nl"
+  manage_verify_peer: False
+
+  idp_metadata_url: "https://metadata.surfconext.nl/signed/2023/edugain-downstream-idp.xml "
+  backup_dir: "{{backup_base}}/sbs"
+
+  swagger_enabled: true
+
+  ssid_identity_providers: []
+  surf_secure_id:
+    environment: "unknown.example.org"
+    sp_entity_id: "https://sbs.{{base_domain}}"
+    acs_url: "https://{{base_domain}}/api/users/acs"
+    sa_gw_environment: "sa-gw.unknown.example.org"
+    sa_idp_certificate: |
+      -----BEGIN CERTIFICATE-----
+      12345
+      -----END CERTIFICATE-----
+    priv: |
+      -----BEGIN RSA PRIVATE KEY-----
+      abcde
+      -----END RSA PRIVATE KEY-----
+    pub: |
+      -----BEGIN CERTIFICATE-----
+      12345
+      -----END CERTIFICATE-----
+
+  ssid_authncontext: "\
+    http://{{ sbs.surf_secure_id.environment }}/assurance/sfo-level2"
+  ssid_entityid: "\
+    https://{{ sbs.surf_secure_id.sa_gw_environment }}/second-factor-only/metadata"
+  ssid_sso_endpoint: "\
+    https://{{ sbs.surf_secure_id.sa_gw_environment }}/second-factor-only/single-sign-on"
+
+  mfa_sso_minutes: 10
+  mfa_fallback_enabled: true
+
+  ldap_url: "ldap://ldap.example.com/dc=example,dc=com"
+  ldap_bind_account: "cn=admin,dc=entity_id,dc=services,dc=sram-tst,dc=surf,dc=nl"
+
+  csp_style_hashes:
+    - 'sha256-0+ANsgYUJdh56RK8gGvTF2vnriYqvFHfWqtA8xXa+bA='
+    - 'sha256-3SnfHQolDHbZMbDAPmhrZf1keHiXfj/KJyh2phhFAAY='
+    - 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
+    - 'sha256-Ng6y+QCkPChG4Q49SIfXB5ToIDcDhITtQNFkDBPpCTw='
+    - 'sha256-orBPipbqpMvkNi+Z+m6qEn0XS6ymmAQE6+FwCNs1FbQ='
+    - 'sha256-vFt3L2qLqpJmRpcXGbYr2UVSmgSp9VCUzz2lnqWIATw='
+    - 'sha256-SU3XCwbQ/8qgzoGOWCYdkwIr3xRrl5rsvdFcpw8NSiE='  # on /new-service-request
+    - 'sha256-WTC9gHKjIpzl5ub1eg/YrRy/k+jlzeyRojah9dxAApc='  # on /new-service-request
+
+  engine_block_api_token: secret