diff --git a/roles/apachefpm/files/stepuplogging.conf b/roles/apachefpm/files/stepuplogging.conf
deleted file mode 100644
index 501b9ae2f..000000000
--- a/roles/apachefpm/files/stepuplogging.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-
- LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\" \"%{x-stepup-request-id}o\"" stepup
-
-
diff --git a/roles/apachefpm/handlers/main.yml b/roles/apachefpm/handlers/main.yml
deleted file mode 100644
index 255608685..000000000
--- a/roles/apachefpm/handlers/main.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-- name: restart phpfpm
- service:
- name: php72-php-fpm
- state: restarted
-
-- name: restart httpd
- service:
- name: httpd
- state: restarted
diff --git a/roles/apachefpm/tasks/main.yml b/roles/apachefpm/tasks/main.yml
deleted file mode 100644
index 02ef424cb..000000000
--- a/roles/apachefpm/tasks/main.yml
+++ /dev/null
@@ -1,41 +0,0 @@
----
-- name: Add group {{ appname }}
- group:
- name: "{{ appname }}"
- state: present
-
-- name: Add user {{ appname }}
- user:
- name: "{{ appname }}"
- group: "{{ appname }}"
- createhome: no
- state: present
-
-- name: Create directory for vhosts to store PHP sessions
- file:
- path: "{{ php_session_dir}}/{{ appname }}"
- state: directory
- owner: "{{ appname }}"
- group: root
- mode: 0770
-
-- name: Add stepup logformat config
- copy:
- src: stepuplogging.conf
- dest: /etc/httpd/conf.d/stepuplogging.conf
- notify:
- - "restart httpd"
-
-- name: Install Apache vhost
- template:
- src: "apachevhost.j2"
- dest: "/etc/httpd/conf.d/{{ appname }}.conf"
- notify:
- - "restart httpd"
-
-- name: Install php-fpm 72 config
- template:
- src: "phpfpm.j2"
- dest: "/etc/opt/remi/php72/php-fpm.d/{{ appname }}.conf"
- notify:
- - "restart phpfpm"
diff --git a/roles/apachefpm/templates/apachevhost.j2 b/roles/apachefpm/templates/apachevhost.j2
deleted file mode 100644
index f90b40f1a..000000000
--- a/roles/apachefpm/templates/apachevhost.j2
+++ /dev/null
@@ -1,43 +0,0 @@
-Listen {{ ansible_default_ipv4.address }}:{{ loadbalancingport }}
-
- ServerName {{ vhost_name }}
- ServerAdmin {{ admin_email }}
-
- DocumentRoot {{ current_release_symlink }}/public
-
- SetEnv HTTPS on
- SetEnv APP_ENV prod
- SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
-
-
- Require all granted
-
- Options -MultiViews
- RewriteEngine On
- RewriteCond %{REQUEST_FILENAME} !-f
- RewriteRule ^(.*)$ index.php [QSA,L]
-
-
- Header always set X-Content-Type-Options "nosniff"
-
- # Proxy the requests to FPM
-
- SetHandler proxy:unix:/var/run/php-fpm/{{ appname }}-pool-72.sock|fcgi://dummy
-
-
- ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-{{ appname }}'"
- CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-{{ appname }}'" stepup
- {% if haproxy_backend_tls %}
- SSLEngine on
- SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem
- SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key
- Include ssl_backend.conf
- {% endif %}
-
- ExpiresActive on
- ExpiresByType font/* "access plus 1 year"
- ExpiresByType image/* "access plus 6 months"
- ExpiresByType text/css "access plus 1 year"
- ExpiresByType text/js "access plus 1 year"
-
-
diff --git a/roles/apachefpm/templates/phpfpm.j2 b/roles/apachefpm/templates/phpfpm.j2
deleted file mode 100644
index df1342317..000000000
--- a/roles/apachefpm/templates/phpfpm.j2
+++ /dev/null
@@ -1,22 +0,0 @@
-[{{ appname }}]
-listen = /var/run/php-fpm/{{ appname }}-pool-72.sock
-listen.allowed_clients = 127.0.0.1
-listen.owner = apache
-listen.group = apache
-listen.mode = 0640
-user = {{ appname }}
-group = {{ appname }}
-pm = dynamic
-pm.max_children = 40
-pm.start_servers = 5
-pm.min_spare_servers = 5
-pm.max_spare_servers = 35
-pm.status_path = /status
-php_admin_flag[log_errors] = on
-php_admin_value[memory_limit] = {{ fpmmemory | default('128M') }}
-php_value[session.save_handler] = files
-php_value[session.save_path] = {{ php_session_dir }}/{{ appname }}
-php_value[disable_functions] = {{ php_disabled_functions }}
-php_value[session.cookie_domain] = {{ vhost_name }}
-php_value[session.cookie_lifetime] = 0
-php_value[session.gc_maxlifetime] = {{ app_session_expiry_time }}
diff --git a/roles/haproxy/README.md b/roles/haproxy/README.md
index 857f3a08a..8a3628fae 100644
--- a/roles/haproxy/README.md
+++ b/roles/haproxy/README.md
@@ -16,7 +16,7 @@ haproxy_applications:
- name: engine
vhost_name: engine.{{ base_domain }}
- port: "{{ loadbalancing.engine.port }}"
+ port: "443"
ha_method: "GET"
ha_url: "/health"
servers: "{{ php_servers }}"
@@ -25,7 +25,7 @@ haproxy_applications:
vhost_name: manage.{{ base_domain }}
ha_method: "GET"
ha_url: "/health"
- port: "{{ loadbalancing.manage.port }}"
+ port: "443"
servers: "{{ php_servers }}"
stagingservers: "{{ staging_servers }}"
sslbackend: yes
diff --git a/roles/metadata/templates/metadata.conf.j2 b/roles/metadata/templates/metadata.conf.j2
deleted file mode 100644
index 292e9ed32..000000000
--- a/roles/metadata/templates/metadata.conf.j2
+++ /dev/null
@@ -1,43 +0,0 @@
-{% if apache_app_listen_address.metadata is defined %}
-Listen {{ apache_app_listen_address.metadata }}:{{ loadbalancing.metadata.port }}
-
-{% else %}
-
-{% endif %}
- ServerName metadata.{{ base_domain }}:443
-
- DocumentRoot {{ metadata_dir }}
-
- Require all granted
-
-
- Header always set Content-Security-Policy "{{ httpd_csp.strict }}"
- Header always set X-Frame-Options "DENY"
- Header always set Referrer-Policy "strict-origin-when-cross-origin"
- Header always set X-Content-Type-Options "nosniff"
- Header always set X-XSS-Protection "1; mode=block"
-
- AddType application/x-pem-file .pem
- AddType application/samlmetadata+xml .xml
-
- ForceType application/samlmetadata+xml
-
-
- ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-METADATA'"
- CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-METADATA'" combined
-
- {% if haproxy_backend_tls %}
- SSLEngine on
- SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem
- SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key
- Include ssl_backend.conf
- {% endif %}
- {% if apache_app_listen_address.all is defined %}
- SSLEngine on
- SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }}
- SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }}
- SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }}
- Include ssl_backend.conf
- {% endif %}
-
-
diff --git a/roles/mujina-idp/templates/mujina_idp.conf.j2 b/roles/mujina-idp/templates/mujina_idp.conf.j2
deleted file mode 100644
index 8cd54e65b..000000000
--- a/roles/mujina-idp/templates/mujina_idp.conf.j2
+++ /dev/null
@@ -1,35 +0,0 @@
-{% if apache_app_listen_address.mujina_idp is defined %}
-Listen {{ apache_app_listen_address.mujina_idp }}:{{ loadbalancing.mujina_idp.port }}
-
-{% else %}
-
-{% endif %}
- ServerName https://mujina-idp.{{ base_domain }}
-
- UseCanonicalName On
-
- ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-mujina-idp'"
- CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-mujina-idp'" combined
-
- ProxyPass /health http://localhost:{{ springapp_tcpport }}/internal/health retry=0
- ProxyPass /info http://localhost:{{ springapp_tcpport }}/internal/info retry=0
-
- ProxyPass / http://localhost:{{ springapp_tcpport }}/ retry=0
- ProxyPassReverse / http://localhost:{{ springapp_tcpport }}/ retry=0
-
- {% if haproxy_backend_tls %}
- SSLEngine on
- SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem
- SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key
- Include ssl_backend.conf
- {% endif %}
-
- {% if apache_app_listen_address.all is defined %}
- SSLEngine on
- SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }}
- SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }}
- SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }}
- Include ssl_backend.conf
- {% endif %}
-
-
diff --git a/roles/oidcng/templates/oidcng.conf.j2 b/roles/oidcng/templates/oidcng.conf.j2
deleted file mode 100644
index 40b7cfad8..000000000
--- a/roles/oidcng/templates/oidcng.conf.j2
+++ /dev/null
@@ -1,34 +0,0 @@
-{% if apache_app_listen_address.oidcng is defined %}
-Listen {{ apache_app_listen_address.oidcng }}:{{ loadbalancing.oidcng.port }}
-
-{% else %}
-
-{% endif %}
-
- ServerName https://{{ oidcng_base_hostname }}
-
- ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-oidcng'"
- CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-oidcng'" combined
- LimitRequestFieldSize 16384
- ProxyPass /.well-known/openid-configuration http://localhost:{{ springapp_tcpport}}/oidc/.well-known/openid-configuration retry=0
- ProxyPass /actuator http://localhost:{{ springapp_tcpport}}/internal retry=0
-
- ProxyPass / http://localhost:{{ springapp_tcpport }}/ retry=0
- ProxyPassReverse / http://localhost:{{ springapp_tcpport }}/ retry=0
-
- {% if haproxy_backend_tls %}
- SSLEngine on
- SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem
- SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key
- Include ssl_backend.conf
- {% endif %}
-
- {% if apache_app_listen_address.all is defined %}
- SSLEngine on
- SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }}
- SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }}
- SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }}
- Include ssl_backend.conf
- {% endif %}
-
-
diff --git a/roles/static/templates/static.conf.j2 b/roles/static/templates/static.conf.j2
deleted file mode 100644
index 034ba2dad..000000000
--- a/roles/static/templates/static.conf.j2
+++ /dev/null
@@ -1,33 +0,0 @@
-{% if apache_app_listen_address.static is defined %}
-Listen {{ apache_app_listen_address.static }}:{{ loadbalancing.static.port }}
-
-{% else %}
-
-{% endif %}
- ServerName static.{{ base_domain }}:443
-
- DocumentRoot {{ static_dir }}
-
- Header always set Referrer-Policy "strict-origin-when-cross-origin"
- Header always set X-Content-Type-Options "nosniff"
- Header always set X-XSS-Protection "1; mode=block"
-
- ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-STATIC'"
- CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-STATIC'" combined
-
- {% if haproxy_backend_tls %}
- SSLEngine on
- SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem
- SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key
- Include ssl_backend.conf
- {% endif %}
-
- {% if apache_app_listen_address.all is defined %}
- SSLEngine on
- SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }}
- SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }}
- SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }}
- Include ssl_backend.conf
- {% endif %}
-
-
diff --git a/roles/stepupazuremfa/vars/main.yml b/roles/stepupazuremfa/vars/main.yml
index fbadef306..1e88abc46 100644
--- a/roles/stepupazuremfa/vars/main.yml
+++ b/roles/stepupazuremfa/vars/main.yml
@@ -1,6 +1,5 @@
appname: "azuremfa"
vhost_name: "{{ appname }}.{{ base_domain }}"
-loadbalancingport: "411"
appversion: "{{ azuremfa_version }}"
appversion_sha: "{{ azuremfa_version_sha }}"
stepup_gh_appname: "Azure-MFA"
diff --git a/roles/stepupgateway/vars/main.yml b/roles/stepupgateway/vars/main.yml
index ca601a1d6..cf9fe7707 100644
--- a/roles/stepupgateway/vars/main.yml
+++ b/roles/stepupgateway/vars/main.yml
@@ -1,6 +1,5 @@
appname: "gateway"
vhost_name: "sa-gw.{{ base_domain }}"
-loadbalancingport: "414"
appversion: "{{ gateway_version }}"
appversion_sha: "{{ gateway_version_sha }}"
stepup_gh_appname: "Gateway"
diff --git a/roles/stepupmiddleware/tasks/main.yml b/roles/stepupmiddleware/tasks/main.yml
index f95960bcd..f9799b5f5 100644
--- a/roles/stepupmiddleware/tasks/main.yml
+++ b/roles/stepupmiddleware/tasks/main.yml
@@ -6,12 +6,3 @@
or 'push_mw_whitelist' in ansible_run_tags
or 'stepupmiddleware' in ansible_run_tags
or 'stepup' in ansible_run_tags)"
-
-- name: Include vm tasks when running on a vm
- import_tasks: vm.yml
- when: "'docker' not in group_names
- and ('push_mw_config' in ansible_run_tags
- or 'push_mw_institution' in ansible_run_tags
- or 'push_mw_whitelist' in ansible_run_tags
- or 'stepupmiddleware' in ansible_run_tags
- or 'stepup' in ansible_run_tags)"
diff --git a/roles/stepupmiddleware/tasks/vm.yml b/roles/stepupmiddleware/tasks/vm.yml
deleted file mode 100644
index ceab80cb6..000000000
--- a/roles/stepupmiddleware/tasks/vm.yml
+++ /dev/null
@@ -1,133 +0,0 @@
-- name: Install Apache and FPM config
- include_role:
- name: apachefpm
-
-- name: Install the symfony app
- include_role:
- name: stepupapp
-
-- name: Place parameters.yml
- template:
- src: parameters.yaml.j2
- dest: "{{ current_release_config_dir_name }}/parameters.yaml"
- mode: 0640
- owner: root
- group: "{{ appname }}"
- notify:
- - clear cache {{ appname }}
- - reload php72-fpm {{ appname }}
-
-- name: Activate the symlink
- file:
- src: "{{ current_release_appdir }}"
- dest: "{{ current_release_symlink }}"
- state: link
-
-- name: Put middleware configuration scripts in /root/
- template:
- src: "{{ item }}.j2"
- dest: "/root/{{ item }}"
- group: "root"
- owner: "root"
- mode: "0500"
- with_items:
- - "01-middleware-db_migrate.sh"
- - "06-middleware-bootstrap-sraa-users.sh"
-
-- name: Create /opt/scripts
- file:
- path: /opt/scripts
- state: directory
- owner: root
- group: root
- mode: 0750
-
-- name: Put middleware config from environment in /opt/scripts
- template:
- src: "{{ inventory_dir }}/templates/middleware/{{ item }}.j2"
- dest: "/opt/scripts/{{ item }}"
- group: "{{ appname }}"
- owner: "{{ appname }}"
- mode: "0400"
- with_items:
- - "middleware-config.json"
- - "middleware-whitelist.json"
- - "middleware-institution.json"
- tags:
- - push_mw_config
- - push_mw_institution
- - push_mw_whitelist
-
-- name: Put middleware configuration scripts in /opt/scripts
- template:
- src: "{{ item}}.j2"
- dest: "/opt/scripts/{{ item }}"
- group: "{{ appname }}"
- owner: root
- mode: "0550"
- with_items:
- - "middleware-push-config.sh"
- - "middleware-push-whitelist.sh"
- - "middleware-push-institution.sh"
-
-- name: Create symlinks to middleware configuration scripts in /root
- file:
- src: "/opt/scripts/{{ item.key }}"
- dest: "/root/{{ item.value }}"
- group: "{{ appname }}"
- owner: root
- state: link
- force: true
- with_dict:
- "middleware-push-config.sh": "02-middleware-config.sh"
- "middleware-push-whitelist.sh": "04-middleware-whitelist.sh"
- "middleware-push-institution.sh": "05-middleware-institution.sh"
-
-- meta: flush_handlers
-
-- name: Include post installation tasks
- include_role:
- name: stepupapp
- tasks_from: postinstall
-
-# The following push scripts have an additional conditional check on the presence of
-# a tag, so these are only ran when explicitly called.
-
-- name: Push middleware configuration
- command: /opt/scripts/middleware-push-config.sh
- run_once: true
- when:
- - "'push_mw_config' in ansible_run_tags"
- tags:
- - push_mw_config
-
-- name: Push middleware whitelist
- command: /opt/scripts/middleware-push-whitelist.sh
- run_once: True
- when:
- - "'push_mw_whitelist' in ansible_run_tags"
- tags:
- - push_mw_whitelist
-
-- name: Push middleware institution configuration
- command: /opt/scripts/middleware-push-institution.sh
- run_once: True
- when:
- - "'push_mw_institution' in ansible_run_tags"
- tags:
- - push_mw_institution
-
-
-# Middleware migrate identities from CSV
-
-- name: Migrate middleware identities from CSV
- include_tasks: migrate_identities.yml
- args:
- apply:
- tags:
- - mw_migrate_identities
- run_once: True
- when:
- - "'mw_migrate_identities' in ansible_run_tags"
- tags:
- - mw_migrate_identities
diff --git a/roles/stepupra/vars/main.yml b/roles/stepupra/vars/main.yml
index 996a4ff2c..ec6a43993 100644
--- a/roles/stepupra/vars/main.yml
+++ b/roles/stepupra/vars/main.yml
@@ -1,7 +1,6 @@
---
appname: "ra"
vhost_name: "{{ appname }}.{{ base_domain }}"
-loadbalancingport: "416"
appversion: "{{ ra_version }}"
appversion_sha: "{{ ra_version_sha }}"
stepup_gh_appname: "RA"
diff --git a/roles/stepupselfservice/vars/main.yml b/roles/stepupselfservice/vars/main.yml
index 828ec6de1..c8131fdb0 100644
--- a/roles/stepupselfservice/vars/main.yml
+++ b/roles/stepupselfservice/vars/main.yml
@@ -1,7 +1,6 @@
---
appname: "selfservice"
vhost_name: "sa.{{ base_domain }}"
-loadbalancingport: "415"
appversion: "{{ selfservice_version }}"
appversion_sha: "{{ selfservice_version_sha }}"
stepup_gh_appname: "SelfService"
diff --git a/roles/stepuptiqr/vars/main.yml b/roles/stepuptiqr/vars/main.yml
index 18fed7cfb..e936dd230 100644
--- a/roles/stepuptiqr/vars/main.yml
+++ b/roles/stepuptiqr/vars/main.yml
@@ -1,7 +1,6 @@
---
appname: "tiqr"
vhost_name: "{{ appname }}.{{ base_domain }}"
-loadbalancingport: "412"
appversion: "{{ tiqr_version }}"
appversion_sha: "{{ tiqr_version_sha }}"
stepup_gh_appname: tiqr
diff --git a/roles/stepupwebauthn/vars/main.yml b/roles/stepupwebauthn/vars/main.yml
index d24106cf0..dab1f5781 100644
--- a/roles/stepupwebauthn/vars/main.yml
+++ b/roles/stepupwebauthn/vars/main.yml
@@ -1,7 +1,6 @@
---
appname: "webauthn"
vhost_name: "{{ appname }}.{{ base_domain }}"
-loadbalancingport: "410"
appversion: "{{ webauthn_version }}"
appversion_sha: "{{ webauthn_version_sha }}"
stepup_gh_appname: Webauthn