summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2023-11-13 21:56:24 +0100
committerChristian Pointner <equinox@spreadspace.org>2023-11-13 21:56:24 +0100
commita0c1aa799d94c3ce0c697bfd6777e0233dd77d92 (patch)
tree0c2b858fc4526bc64edc1668da4580f8d54d6ef3
parentadd role nginx/auth/whawty-sso (diff)
finalize whawty.nginx-sso roles
-rw-r--r--chaos-at-home/ch-testvm-prometheus.yml52
-rw-r--r--inventory/host_vars/ch-http-proxy.yml4
-rw-r--r--inventory/host_vars/ch-testvm-prometheus.yml25
-rw-r--r--roles/nginx/auth/whawty-sso/auth/defaults/main.yml30
-rw-r--r--roles/nginx/auth/whawty-sso/auth/handlers/main.yml6
-rw-r--r--roles/nginx/auth/whawty-sso/auth/tasks/main.yml25
-rw-r--r--roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j24
-rw-r--r--roles/nginx/auth/whawty-sso/login/defaults/main.yml2
8 files changed, 143 insertions, 5 deletions
diff --git a/chaos-at-home/ch-testvm-prometheus.yml b/chaos-at-home/ch-testvm-prometheus.yml
index 9a1191ad..c142100c 100644
--- a/chaos-at-home/ch-testvm-prometheus.yml
+++ b/chaos-at-home/ch-testvm-prometheus.yml
@@ -7,3 +7,55 @@
- role: core/sshd/base
- role: core/zsh
- role: core/ntp
+
+- name: Payload Setup
+ hosts: ch-testvm-prometheus
+ roles:
+ - role: apt-repo/spreadspace
+ - role: nginx/base
+ - role: nginx/auth/whawty-sso/base
+ - role: nginx/auth/whawty-sso/auth
+ post_tasks:
+ #### test.chaos-at-home.org (default-server)
+ - name: create directory for default server
+ file:
+ path: /var/www/default
+ state: directory
+
+ - name: copy chaos-at-home logo file
+ copy:
+ src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
+ dest: /var/www/default/logo.jpg
+
+ - name: install index.html for default server
+ copy:
+ dest: /var/www/default/index.html
+ content: |
+ <html>
+ <head>
+ <title>No Such Site</title>
+ </head>
+ <body style="font-family: Helvetica, Arial, Sans-Serif; color: white; background: black;">
+ <div style="text-align: center; margin-top: 4em; margin-left:auto; margin-right:auto;">
+ <img src="logo.jpg" alt="chaos@home Logo" />
+ <h2 style="">You have reached the chaos@home test webserver.</h2>
+ </div>
+ </body>
+ </html>
+
+ - name: configure default vhost web.chaos-at-home.org
+ vars:
+ nginx_vhost:
+ default: yes
+ name: test
+ template: generic
+ hostnames:
+ - test.chaos-at-home.org
+ extra_directives: |
+ include snippets/whawty-sso-chaos-at-home.conf;
+ locations:
+ '/':
+ root: /var/www/default
+ index: index.html
+ include_role:
+ name: nginx/vhost
diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml
index 255dbebe..07376b36 100644
--- a/inventory/host_vars/ch-http-proxy.yml
+++ b/inventory/host_vars/ch-http-proxy.yml
@@ -53,8 +53,8 @@ whawty_nginx_sso_logins:
config:
cookie:
domain: ".chaos-at-home.org"
- name: __Secure-chaos-at-home-sso
- secure: yes
+ name: chaos-at-home-sso
+ secure: false
expire: 23h
keys:
- name: 2023-11
diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml
index 415e6774..bec8d70d 100644
--- a/inventory/host_vars/ch-testvm-prometheus.yml
+++ b/inventory/host_vars/ch-testvm-prometheus.yml
@@ -35,3 +35,28 @@ network:
- *_network_primary_
ntp_variant: systemd-timesyncd
+
+
+
+whawty_nginx_sso_backends:
+ chaos-at-home:
+ port: 1234
+ login_url: https://login.chaos-at-home.org/login
+
+whawty_nginx_sso_auths:
+ chaos-at-home:
+ config:
+ cookie:
+ domain: ".chaos-at-home.org"
+ name: chaos-at-home-sso
+ secure: no
+ expire: 23h
+ keys:
+ - name: 2023-11
+ ed25519:
+ public-key: |-
+ -----BEGIN PUBLIC KEY-----
+ MCowBQYDK2VwAyEAawvVwThGnYYBDLjQ0Rs71prAmxQ/tfaPUNZvPWS3Z3U=
+ -----END PUBLIC KEY-----
+ web:
+ listen: 127.0.0.1:1234
diff --git a/roles/nginx/auth/whawty-sso/auth/defaults/main.yml b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
new file mode 100644
index 00000000..ca08addb
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
@@ -0,0 +1,30 @@
+---
+# whawty_nginx_sso_auths:
+# example:
+# config:
+# cookie:
+# domain: ".example.com"
+# name: __Secure-example-sso
+# secure: yes
+# expire: 168h
+# keys:
+# - name: 2023-11
+# ed25519:
+# public-key: |-
+# ....
+# web:
+# listen: 127.0.0.1:1234
+# foo:
+# config:
+# cookie:
+# domain: ".foo.bar"
+# name: __Secure-foobar-sso
+# secure: yes
+# expire: 24h
+# keys:
+# - name: 2023-11
+# ed25519:
+# public-key: |-
+# ....
+# web:
+# listen: 127.0.0.1:2345
diff --git a/roles/nginx/auth/whawty-sso/auth/handlers/main.yml b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml
new file mode 100644
index 00000000..fad676ce
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart whawty-nginx-sso
+ loop: "{{ whawty_nginx_sso_auths | list }}"
+ service:
+ name: "whawty-nginx-sso@{{ item }}.service"
+ state: restarted
diff --git a/roles/nginx/auth/whawty-sso/auth/tasks/main.yml b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
new file mode 100644
index 00000000..fa6048dd
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: create configuration directory
+ file:
+ path: /etc/nginx/auth/whawty-sso
+ state: directory
+
+- name: generate configuration file
+ loop: "{{ whawty_nginx_sso_auths | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ copy:
+ content: |
+ # ansible generated
+ {{ item.value.config | to_nice_yaml(indent=2) }}
+ dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
+ mode: 0400
+ notify: restart whawty-nginx-sso
+
+- name: make sure nginx-sso services are enabled and started
+ loop: "{{ whawty_nginx_sso_auths | list }}"
+ systemd:
+ name: "whawty-nginx-sso@{{ item }}.service"
+ daemon_reload: yes
+ state: started
+ enabled: yes
diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
index f8f67c45..87f71577 100644
--- a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
+++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
@@ -4,7 +4,7 @@ error_page 401 = @error401;
location /auth {
internal;
- proxy_pass 127.0.0.1:{{ item.value.port }}/auth;
+ proxy_pass http://127.0.0.1:{{ item.value.port }}/auth;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Origin-URI $request_uri;
@@ -15,5 +15,5 @@ location /auth {
}
location @error401 {
- return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri;
+ return 303 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri;
}
diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
index c9261474..6f7afe04 100644
--- a/roles/nginx/auth/whawty-sso/login/defaults/main.yml
+++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
@@ -39,7 +39,7 @@
# ...
# config:
# cookie:
-# domain: ".example.com"
+# domain: ".foo.bar"
# name: __Secure-foobar-sso
# secure: yes
# expire: 24h