diff --git a/misc/vaults/vault_hcaptcha.yml b/misc/vaults/vault_hcaptcha.yml
index 66214c37ebceba3e4b95c25579c45f3625854c11..35fc881ddd44ce6c0b8b48c1b66e1cca6416afb8 100644
--- a/misc/vaults/vault_hcaptcha.yml
+++ b/misc/vaults/vault_hcaptcha.yml
@@ -1,16 +1,18 @@
$ANSIBLE_VAULT;1.2;AES256;super
-66393332376266313239623134383062653533363433386537313161623731646437643934376333
-3030643638623062653964333862323731326165623636370a616632313130363861336238656362
-64613737323939633037636136316335303434653033313634313039363537303130353166313034
-6266636635653536330a653835663931656466343034323766346363666436663266343836383039
-35643463623264646664346132346162303135386635353439643364626537663330363237396438
-33353435316538353239623166333630636331626330623839623739323532303262303966303365
-64636338323266616336353033363066623731396666303935633832376463646637626261333062
-36393230336561343638346439383837363037623162666133626565393534613063386366356639
-32626635643937613563623232333063356338663735663666343966313730396637366134396339
-30326537323361663365636637386666396263636239303263323630323166643039346364393636
-39383335666530353932646264633435333139353337623661313231633731386139613161396232
-66373931643835336566616439333634313266306135376232323133323136373236656336393864
-61643965366137613831616333303063623062613430396436396333666332646161336363646131
-35386539393261333831313463373837653839396136393266623334346234633863373065313332
-616566313639663362613164383061373038
+39373831626463313432326266363434313633643864336163343632613364376639376336653632
+6262363461386664376431393264373631393139313663320a336131333336353137663266326430
+62653764376137626266356636626234633232666263346631646635333861633662316139636663
+3831653264303762340a626535623932353939376533613835366131353162356339326334656434
+38363434336139353339393939636266323334656335376663313033316462656436336530653633
+34353364373864343036643234326365356137646332393961343535336232343732316364376365
+37366639643163633263623264373534333361633432333938316138653337383866643336383735
+39396361353663653663306337373838353461623837633239633538393962303237313734396564
+64396561316363363866393136383035613162323765366665313736393034313032653064623462
+61313961303361303965326561633932633736346663323864613366326134353131303033353332
+61656639346538343064386362303263373532323862666464303130646337343935323762393037
+39313964373735366639613366393837333731636636633533346663363864636535613936643230
+35656363623432373739303039333336653531376330643935623133616666376534383466376164
+38313165353230636461666231333833396535343565333465393732663733393365656365383262
+37303432666532303230666134363333313439356462653762393737366664323332316430663264
+39393266363865636366613165313936343738316534353066616538376163336563383638313363
+6339
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index d3a221df6e515bd90bf7c2e217da1fdef41a360c..787c9f3d13e975f02c657c77ff0baab4c086d83c 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -1,5 +1,5 @@
- name: Install keycloak
- pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,python-passlib state=present
+ pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,keycloak-hcaptcha,python-passlib state=present
- name: Create postgres keycloak user
postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}"
diff --git a/tf-stage2/.terraform.lock.hcl b/tf-stage2/.terraform.lock.hcl
index 8db3ebc9db003b09ef34dee52fde15f2880248ff..9102510c7a97995a697bf7184b5460497b06ebad 100644
--- a/tf-stage2/.terraform.lock.hcl
+++ b/tf-stage2/.terraform.lock.hcl
@@ -2,45 +2,45 @@
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/external" {
- version = "2.2.2"
+ version = "2.3.1"
hashes = [
- "h1:e7RpnZ2PbJEEPnfsg7V0FNwbfSk0/Z3FdrLsXINBmDY=",
- "zh:0b84ab0af2e28606e9c0c1289343949339221c3ab126616b831ddb5aaef5f5ca",
- "zh:10cf5c9b9524ca2e4302bf02368dc6aac29fb50aeaa6f7758cce9aa36ae87a28",
- "zh:56a016ee871c8501acb3f2ee3b51592ad7c3871a1757b098838349b17762ba6b",
- "zh:719d6ef39c50e4cffc67aa67d74d195adaf42afcf62beab132dafdb500347d39",
+ "h1:bROCw6g5D/3fFnWeJ01L4IrdnJl1ILU8DGDgXCtYzaY=",
+ "zh:001e2886dc81fc98cf17cf34c0d53cb2dae1e869464792576e11b0f34ee92f54",
+ "zh:2eeac58dd75b1abdf91945ac4284c9ccb2bfb17fa9bdb5f5d408148ff553b3ee",
+ "zh:2fc39079ba61411a737df2908942e6970cb67ed2f4fb19090cd44ce2082903dd",
+ "zh:472a71c624952cff7aa98a7b967f6c7bb53153dbd2b8f356ceb286e6743bb4e2",
+ "zh:4cff06d31272aac8bc35e9b7faec42cf4554cbcbae1092eaab6ab7f643c215d9",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
- "zh:7fbfc4d37435ac2f717b0316f872f558f608596b389b895fcb549f118462d327",
- "zh:8ac71408204db606ce63fe8f9aeaf1ddc7751d57d586ec421e62d440c402e955",
- "zh:a4cacdb06f114454b6ed0033add28006afa3f65a0ea7a43befe45fc82e6809fb",
- "zh:bb5ce3132b52ae32b6cc005bc9f7627b95259b9ffe556de4dad60d47d47f21f0",
- "zh:bb60d2976f125ffd232a7ccb4b3f81e7109578b23c9c6179f13a11d125dca82a",
- "zh:f9540ecd2e056d6e71b9ea5f5a5cf8f63dd5c25394b9db831083a9d4ea99b372",
- "zh:ffd998b55b8a64d4335a090b6956b4bf8855b290f7554dd38db3302de9c41809",
+ "zh:7ed16ccd2049fa089616b98c0bd57219f407958f318f3c697843e2397ddf70df",
+ "zh:842696362c92bf2645eb85c739410fd51376be6c488733efae44f4ce688da50e",
+ "zh:8985129f2eccfd7f1841ce06f3bf2bbede6352ec9e9f926fbaa6b1a05313b326",
+ "zh:a5f0602d8ec991a5411ef42f872aa90f6347e93886ce67905c53cfea37278e05",
+ "zh:bf4ab82cbe5256dcef16949973bf6aa1a98c2c73a98d6a44ee7bc40809d002b8",
+ "zh:e70770be62aa70198fa899526d671643ff99eecf265bf1a50e798fc3480bd417",
]
}
provider "registry.terraform.io/mrparkers/keycloak" {
- version = "4.0.1"
+ version = "4.3.1"
hashes = [
- "h1:z6heuWAzDy7WO7cbpw2QEfdZMqbF5roM6mcQX+ec4gM=",
- "zh:136b81afb4bdf7b71bcaeefde00a8e097d20199037971a552046ac197d648875",
- "zh:1cb69126e08c58cf7b67b14ecfa3999ba952f60f5ec2918796ec57486576c202",
- "zh:1d51c878d0ca7cd3014025e2e01f6d1ee7fc73e7ccb67a1833765c3183224513",
- "zh:335727454863886d6865cae3a5131cc3cca6dbfe251729669bce5d431a9b91df",
- "zh:33af47e488fdce76101c9e25b3fa9bc3c9b07caf618e194584d356a261736c13",
- "zh:68a4583a5026a87c6ce2684c54473eb9cef5408f865d0580fe5d9875c032180c",
- "zh:68c7b96c6b553018321413d2d208cd4d0ebc83942affd565c8e51d04f18dac3b",
- "zh:7868a220f477bdc4dc66449bb020fd74fc43168b66869906d025990a67a346d9",
- "zh:7a7fbe2a8e38bba5928b57fbd1e94956d1e7f72e461145fef0ada8ce7fccb645",
- "zh:87df541fdb3569204d53fe21aca032c01dc234859085cce6a9febf0ca0129183",
- "zh:8d0eaa5031a6937dcb06d0ced7ae871328c87a3cb8cd8bceef71b08c094d7a66",
- "zh:9616d1ff5ed8377920f9b89eac0cf2103969d2cde829dac55e7a2c3e208baa97",
- "zh:99af64a38b7f5e3a7c714cb485321280a83dfed2efcbe0751923aca725fb6d51",
- "zh:b3c1977bad48f8df311a9f25e7fa2a57ff175768cc548533f4d4a2b8652e5b9a",
- "zh:c6b97dd6162934155454f3f891c4f32185af9e48ceb5e2d71dd7dce74f95efcf",
- "zh:c924c9dabaa64b8dcef39bda9b67af27a714eb87ee1e01bd404b5823dc604b18",
- "zh:db3b4d02fef69217055ac1536902bb694f3800c5d9929c7032ab31a3bd7147e1",
+ "h1:iYMw6G+fa3ZxO0u1yd+AKwhIqbeb6zICCRHCCR34xt8=",
+ "zh:2476767ef61e2e4a3e9c654e07bafc550ba36232c91301edcc703eb580d7cf1c",
+ "zh:3c60a8d9284ed5bc1c3a57f948bd726a29eecb1cf283f43f9f6df3b6595022d3",
+ "zh:4087277c8e79d72524d806048715c07d196faaf1ff8475131f558a6178f9d6f6",
+ "zh:426b4dde08ea33c32d9e2cc8c6a7a7b06a2d339f5770b6dc6f83cb5b8ca9b793",
+ "zh:476c52c28ebd97d2c14be1254e37b568625398090e0a828562f30c55429835eb",
+ "zh:563d21232e5cf2f5012f9a7c4ce6a6fd479b53383a47e44174c4855bdb536e29",
+ "zh:6542076d66db89e668bd916e20c6dc26059318e5f8ad9367d9699e6f3deffbd4",
+ "zh:66542debaec2514701a3744a13e01d188ebb5fbb044c9ee2bc484df2a975d72f",
+ "zh:77b37b37e76be7f21358ed683d1a5aa4f788af9f9c761e005d153b724d61b69a",
+ "zh:7e4ed34fb2523ca52b3b59cc992741dc41f56415655dce98d75c323a0b45debb",
+ "zh:7f703fc12304c767e5067aebf4302e232b4e5eee3fd184bacb95f368f4bc2b30",
+ "zh:930bc8ce87a1f883fdbf1466ba7d972929baaeaecba1b9099ddd030cc8ffe148",
+ "zh:cf2e7f5ca1cb0e70342815ede3530caff2fdefaf0d3e5993349e333ac1df1bf7",
+ "zh:cf87def6c46c997d9601ad10f4632882c9f1791f1c220cf29c2c6c144e51d0e2",
+ "zh:d168f1702efe239d7fdef8bf55ca526f53181f6b44ac9b91bcd7c26941116682",
+ "zh:e631c5ddd5116a730cc0da1b18879a4312edcb6f8edac2e6fa77d72c7ef334be",
+ "zh:f2f8ccaf97866e9d3f27449896c105c7fa325cedc65a62f618f38ff8e57a4d46",
]
}
diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index 40fbd8c5b3bc8b29e5391d9f0940f99f60cb7344..87196709f136be184c99a664b6fc757b65f38196 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -14,10 +14,10 @@ data "external" "vault_keycloak" {
"--format", "json"]
}
-data "external" "vault_google" {
- program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_google.yml",
- "vault_google_recaptcha_site_key",
- "vault_google_recaptcha_secret_key",
+data "external" "vault_hcaptcha" {
+ program = ["${path.module}/../misc/get_key.py", "${path.module}/../misc/vaults/vault_hcaptcha.yml",
+ "vault_hcaptcha_accounts_archlinux_org_sitekey",
+ "vault_hcaptcha_secret_key",
"--format", "json"]
}
@@ -110,8 +110,8 @@ resource "keycloak_realm" "archlinux" {
security_defenses {
headers {
- x_frame_options = "ALLOW-FROM https://www.google.com"
- content_security_policy = "frame-src 'self' https://www.google.com; frame-ancestors 'self'; object-src 'none';"
+ x_frame_options = "ALLOW-FROM https://www.google.com https://newassets.hcaptcha.com"
+ content_security_policy = "frame-src 'self' https://www.google.com https://newassets.hcaptcha.com; frame-ancestors 'self'; object-src 'none';"
content_security_policy_report_only = ""
x_content_type_options = "nosniff"
x_robots_tag = "none"
@@ -472,11 +472,11 @@ resource "keycloak_group_roles" "externalcontributor" {
]
}
-// Add new custom registration flow with reCAPTCHA
+// Add new custom registration flow with hCaptcha
resource "keycloak_authentication_flow" "arch_registration_flow" {
realm_id = "archlinux"
alias = "Arch Registration"
- description = "Customized Registration flow that forces enables ReCAPTCHA."
+ description = "Customized Registration flow that forces enables hCaptcha."
}
resource "keycloak_authentication_subflow" "registration_form" {
@@ -511,22 +511,21 @@ resource "keycloak_authentication_execution" "registration_password_action" {
depends_on = [keycloak_authentication_execution.registration_profile_action]
}
-resource "keycloak_authentication_execution" "registration_recaptcha_action" {
+resource "keycloak_authentication_execution" "registration_hcaptcha_action" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
- authenticator = "registration-recaptcha-action"
+ authenticator = "registration-hcaptcha-action"
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.registration_password_action]
}
-resource "keycloak_authentication_execution_config" "registration_recaptcha_action_config" {
+resource "keycloak_authentication_execution_config" "registration_hcaptcha_action_config" {
realm_id = "archlinux"
- alias = "reCAPTCHA config"
- execution_id = keycloak_authentication_execution.registration_recaptcha_action.id
+ alias = "hCaptcha config"
+ execution_id = keycloak_authentication_execution.registration_hcaptcha_action.id
config = {
- "useRecaptchaNet" = "false",
- "site.key" = data.external.vault_google.result.vault_google_recaptcha_site_key
- "secret" = data.external.vault_google.result.vault_google_recaptcha_secret_key
+ "site.key" = data.external.vault_hcaptcha.result.vault_hcaptcha_accounts_archlinux_org_sitekey
+ "secret" = data.external.vault_hcaptcha.result.vault_hcaptcha_secret_key
}
}