finalize whawty.nginx-sso roles

author: Christian Pointner <equinox@spreadspace.org> 2023-11-13 21:56:24 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2023-11-13 21:56:24 +0100
commit: a0c1aa799d94c3ce0c697bfd6777e0233dd77d92 (patch)
tree: 0c2b858fc4526bc64edc1668da4580f8d54d6ef3
parent: add role nginx/auth/whawty-sso (diff)
8 files changed, 143 insertions, 5 deletions
diff --git a/chaos-at-home/ch-testvm-prometheus.yml b/chaos-at-home/ch-testvm-prometheus.yml
index 9a1191ad..c142100c 100644
--- a/chaos-at-home/ch-testvm-prometheus.yml
+++ b/chaos-at-home/ch-testvm-prometheus.yml
@@ -7,3 +7,55 @@
   - role: core/sshd/base
   - role: core/zsh
   - role: core/ntp
+
+- name: Payload Setup
+  hosts: ch-testvm-prometheus
+  roles:
+  - role: apt-repo/spreadspace
+  - role: nginx/base
+  - role: nginx/auth/whawty-sso/base
+  - role: nginx/auth/whawty-sso/auth
+  post_tasks:
+  #### test.chaos-at-home.org (default-server)
+  - name: create directory for default server
+    file:
+      path: /var/www/default
+      state: directory
+
+  - name: copy chaos-at-home logo file
+    copy:
+      src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
+      dest: /var/www/default/logo.jpg
+
+  - name: install index.html for default server
+    copy:
+      dest: /var/www/default/index.html
+      content: |
+        <html>
+          <head>
+            <title>No Such Site</title>
+          </head>
+          <body style="font-family: Helvetica, Arial, Sans-Serif; color: white; background: black;">
+            <div style="text-align: center; margin-top: 4em; margin-left:auto; margin-right:auto;">
+              <img src="logo.jpg" alt="chaos@home Logo" />
+              <h2 style="">You have reached the chaos@home test webserver.</h2>
+            </div>
+          </body>
+        </html>
+
+  - name: configure default vhost web.chaos-at-home.org
+    vars:
+      nginx_vhost:
+        default: yes
+        name: test
+        template: generic
+        hostnames:
+        - test.chaos-at-home.org
+        extra_directives: |
+          include snippets/whawty-sso-chaos-at-home.conf;
+        locations:
+          '/':
+            root: /var/www/default
+            index: index.html
+    include_role:
+      name: nginx/vhost
diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml
index 255dbebe..07376b36 100644
--- a/inventory/host_vars/ch-http-proxy.yml
+++ b/inventory/host_vars/ch-http-proxy.yml
@@ -53,8 +53,8 @@ whawty_nginx_sso_logins:
     config:
       cookie:
         domain: ".chaos-at-home.org"
-        name: __Secure-chaos-at-home-sso
-        secure: yes
+        name: chaos-at-home-sso
+        secure: false
         expire: 23h
         keys:
         - name: 2023-11
diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml
index 415e6774..bec8d70d 100644
--- a/inventory/host_vars/ch-testvm-prometheus.yml
+++ b/inventory/host_vars/ch-testvm-prometheus.yml
@@ -35,3 +35,28 @@ network:
   - *_network_primary_
 
 ntp_variant: systemd-timesyncd
+
+
+
+whawty_nginx_sso_backends:
+  chaos-at-home:
+    port: 1234
+    login_url: https://login.chaos-at-home.org/login
+
+whawty_nginx_sso_auths:
+  chaos-at-home:
+    config:
+      cookie:
+        domain: ".chaos-at-home.org"
+        name: chaos-at-home-sso
+        secure: no
+        expire: 23h
+        keys:
+        - name: 2023-11
+          ed25519:
+            public-key: |-
+              -----BEGIN PUBLIC KEY-----
+              MCowBQYDK2VwAyEAawvVwThGnYYBDLjQ0Rs71prAmxQ/tfaPUNZvPWS3Z3U=
+              -----END PUBLIC KEY-----
+      web:
+        listen: 127.0.0.1:1234
diff --git a/roles/nginx/auth/whawty-sso/auth/defaults/main.yml b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
new file mode 100644
index 00000000..ca08addb
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
@@ -0,0 +1,30 @@
+---
+# whawty_nginx_sso_auths:
+#   example:
+#     config:
+#       cookie:
+#         domain: ".example.com"
+#         name: __Secure-example-sso
+#         secure: yes
+#         expire: 168h
+#         keys:
+#         - name: 2023-11
+#           ed25519:
+#             public-key: |-
+#               ....
+#       web:
+#         listen: 127.0.0.1:1234
+#   foo:
+#     config:
+#       cookie:
+#         domain: ".foo.bar"
+#         name: __Secure-foobar-sso
+#         secure: yes
+#         expire: 24h
+#         keys:
+#         - name: 2023-11
+#           ed25519:
+#             public-key: |-
+#               ....
+#       web:
+#         listen: 127.0.0.1:2345
diff --git a/roles/nginx/auth/whawty-sso/auth/handlers/main.yml b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml
new file mode 100644
index 00000000..fad676ce
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart whawty-nginx-sso
+  loop: "{{ whawty_nginx_sso_auths | list }}"
+  service:
+    name: "whawty-nginx-sso@{{ item }}.service"
+    state: restarted
diff --git a/roles/nginx/auth/whawty-sso/auth/tasks/main.yml b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
new file mode 100644
index 00000000..fa6048dd
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: create configuration directory
+  file:
+    path: /etc/nginx/auth/whawty-sso
+    state: directory
+
+- name: generate configuration file
+  loop: "{{ whawty_nginx_sso_auths | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      # ansible generated
+      {{ item.value.config | to_nice_yaml(indent=2) }}
+    dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
+    mode: 0400
+  notify: restart whawty-nginx-sso
+
+- name: make sure nginx-sso services are enabled and started
+  loop: "{{ whawty_nginx_sso_auths | list }}"
+  systemd:
+    name: "whawty-nginx-sso@{{ item }}.service"
+    daemon_reload: yes
+    state: started
+    enabled: yes
diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
index f8f67c45..87f71577 100644
--- a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
+++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
@@ -4,7 +4,7 @@ error_page 401 = @error401;
 location /auth {
     internal;
 
-    proxy_pass 127.0.0.1:{{ item.value.port }}/auth;
+    proxy_pass http://127.0.0.1:{{ item.value.port }}/auth;
     proxy_pass_request_body off;
     proxy_set_header Content-Length "";
     proxy_set_header X-Origin-URI $request_uri;
@@ -15,5 +15,5 @@ location /auth {
 }
 
 location @error401 {
-    return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri;
+    return 303 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri;
 }
diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
index c9261474..6f7afe04 100644
--- a/roles/nginx/auth/whawty-sso/login/defaults/main.yml
+++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
@@ -39,7 +39,7 @@
 #       ...
 #     config:
 #       cookie:
-#         domain: ".example.com"
+#         domain: ".foo.bar"
 #         name: __Secure-foobar-sso
 #         secure: yes
 #         expire: 24h
author	Christian Pointner <equinox@spreadspace.org>	2023-11-13 21:56:24 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2023-11-13 21:56:24 +0100
commit	a0c1aa799d94c3ce0c697bfd6777e0233dd77d92 (patch)
tree	0c2b858fc4526bc64edc1668da4580f8d54d6ef3
parent	add role nginx/auth/whawty-sso (diff)