diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-11-13 21:56:24 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-11-13 21:56:24 +0100 |
commit | a0c1aa799d94c3ce0c697bfd6777e0233dd77d92 (patch) | |
tree | 0c2b858fc4526bc64edc1668da4580f8d54d6ef3 | |
parent | add role nginx/auth/whawty-sso (diff) |
finalize whawty.nginx-sso roles
-rw-r--r-- | chaos-at-home/ch-testvm-prometheus.yml | 52 | ||||
-rw-r--r-- | inventory/host_vars/ch-http-proxy.yml | 4 | ||||
-rw-r--r-- | inventory/host_vars/ch-testvm-prometheus.yml | 25 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/auth/defaults/main.yml | 30 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/auth/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/auth/tasks/main.yml | 25 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 | 4 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/login/defaults/main.yml | 2 |
8 files changed, 143 insertions, 5 deletions
diff --git a/chaos-at-home/ch-testvm-prometheus.yml b/chaos-at-home/ch-testvm-prometheus.yml index 9a1191ad..c142100c 100644 --- a/chaos-at-home/ch-testvm-prometheus.yml +++ b/chaos-at-home/ch-testvm-prometheus.yml @@ -7,3 +7,55 @@ - role: core/sshd/base - role: core/zsh - role: core/ntp + +- name: Payload Setup + hosts: ch-testvm-prometheus + roles: + - role: apt-repo/spreadspace + - role: nginx/base + - role: nginx/auth/whawty-sso/base + - role: nginx/auth/whawty-sso/auth + post_tasks: + #### test.chaos-at-home.org (default-server) + - name: create directory for default server + file: + path: /var/www/default + state: directory + + - name: copy chaos-at-home logo file + copy: + src: "{{ global_files_dir }}/chaos-at-home/logo.jpg" + dest: /var/www/default/logo.jpg + + - name: install index.html for default server + copy: + dest: /var/www/default/index.html + content: | + <html> + <head> + <title>No Such Site</title> + </head> + <body style="font-family: Helvetica, Arial, Sans-Serif; color: white; background: black;"> + <div style="text-align: center; margin-top: 4em; margin-left:auto; margin-right:auto;"> + <img src="logo.jpg" alt="chaos@home Logo" /> + <h2 style="">You have reached the chaos@home test webserver.</h2> + </div> + </body> + </html> + + - name: configure default vhost web.chaos-at-home.org + vars: + nginx_vhost: + default: yes + name: test + template: generic + hostnames: + - test.chaos-at-home.org + extra_directives: | + include snippets/whawty-sso-chaos-at-home.conf; + locations: + '/': + root: /var/www/default + index: index.html + include_role: + name: nginx/vhost diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml index 255dbebe..07376b36 100644 --- a/inventory/host_vars/ch-http-proxy.yml +++ b/inventory/host_vars/ch-http-proxy.yml @@ -53,8 +53,8 @@ whawty_nginx_sso_logins: config: cookie: domain: ".chaos-at-home.org" - name: __Secure-chaos-at-home-sso - secure: yes + name: chaos-at-home-sso + secure: false expire: 23h keys: - name: 2023-11 diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml index 415e6774..bec8d70d 100644 --- a/inventory/host_vars/ch-testvm-prometheus.yml +++ b/inventory/host_vars/ch-testvm-prometheus.yml @@ -35,3 +35,28 @@ network: - *_network_primary_ ntp_variant: systemd-timesyncd + + + +whawty_nginx_sso_backends: + chaos-at-home: + port: 1234 + login_url: https://login.chaos-at-home.org/login + +whawty_nginx_sso_auths: + chaos-at-home: + config: + cookie: + domain: ".chaos-at-home.org" + name: chaos-at-home-sso + secure: no + expire: 23h + keys: + - name: 2023-11 + ed25519: + public-key: |- + -----BEGIN PUBLIC KEY----- + MCowBQYDK2VwAyEAawvVwThGnYYBDLjQ0Rs71prAmxQ/tfaPUNZvPWS3Z3U= + -----END PUBLIC KEY----- + web: + listen: 127.0.0.1:1234 diff --git a/roles/nginx/auth/whawty-sso/auth/defaults/main.yml b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml new file mode 100644 index 00000000..ca08addb --- /dev/null +++ b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml @@ -0,0 +1,30 @@ +--- +# whawty_nginx_sso_auths: +# example: +# config: +# cookie: +# domain: ".example.com" +# name: __Secure-example-sso +# secure: yes +# expire: 168h +# keys: +# - name: 2023-11 +# ed25519: +# public-key: |- +# .... +# web: +# listen: 127.0.0.1:1234 +# foo: +# config: +# cookie: +# domain: ".foo.bar" +# name: __Secure-foobar-sso +# secure: yes +# expire: 24h +# keys: +# - name: 2023-11 +# ed25519: +# public-key: |- +# .... +# web: +# listen: 127.0.0.1:2345 diff --git a/roles/nginx/auth/whawty-sso/auth/handlers/main.yml b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml new file mode 100644 index 00000000..fad676ce --- /dev/null +++ b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart whawty-nginx-sso + loop: "{{ whawty_nginx_sso_auths | list }}" + service: + name: "whawty-nginx-sso@{{ item }}.service" + state: restarted diff --git a/roles/nginx/auth/whawty-sso/auth/tasks/main.yml b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml new file mode 100644 index 00000000..fa6048dd --- /dev/null +++ b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: create configuration directory + file: + path: /etc/nginx/auth/whawty-sso + state: directory + +- name: generate configuration file + loop: "{{ whawty_nginx_sso_auths | dict2items }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + # ansible generated + {{ item.value.config | to_nice_yaml(indent=2) }} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml" + mode: 0400 + notify: restart whawty-nginx-sso + +- name: make sure nginx-sso services are enabled and started + loop: "{{ whawty_nginx_sso_auths | list }}" + systemd: + name: "whawty-nginx-sso@{{ item }}.service" + daemon_reload: yes + state: started + enabled: yes diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 index f8f67c45..87f71577 100644 --- a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 +++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 @@ -4,7 +4,7 @@ error_page 401 = @error401; location /auth { internal; - proxy_pass 127.0.0.1:{{ item.value.port }}/auth; + proxy_pass http://127.0.0.1:{{ item.value.port }}/auth; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Origin-URI $request_uri; @@ -15,5 +15,5 @@ location /auth { } location @error401 { - return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri; + return 303 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri; } diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml index c9261474..6f7afe04 100644 --- a/roles/nginx/auth/whawty-sso/login/defaults/main.yml +++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml @@ -39,7 +39,7 @@ # ... # config: # cookie: -# domain: ".example.com" +# domain: ".foo.bar" # name: __Secure-foobar-sso # secure: yes # expire: 24h |