finalize whawty/auth roles for now

author: Christian Pointner <equinox@spreadspace.org> 2024-01-28 02:11:05 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2024-01-28 02:11:05 +0100
commit: 24b4917d8186551bcf987b72d1c3588e4705096a (patch)
tree: 4cba19d0999095ac27edafc9f88513fdaa80ab16 /inventory
parent: move ch-auth-legacy to _graveyard_ (diff)
4 files changed, 42 insertions, 47 deletions
diff --git a/inventory/group_vars/chaos-at-home/vars.yml b/inventory/group_vars/chaos-at-home/vars.yml
index 76b1fab7..9a6e5987 100644
--- a/inventory/group_vars/chaos-at-home/vars.yml
+++ b/inventory/group_vars/chaos-at-home/vars.yml
@@ -51,3 +51,22 @@ chaos_at_home_internal_ca_cert: |
 
 greenbone_target_user_ssh_keys:
   - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDk9vk5cRy4LYRViNnmNEQ+8YY3g3DwOG7m9drHJDB6a/l1OFKx1OeRFEUMN5FFVw8uehhhRZCg/9RiGzWL24YL5Rg1BgfFWqMaih0IDlzM2Od/AgU8rTCTZKaRAejvYDY0uYJUP4A4WBt5S7QxpJWVO0c67ldTI8XxuAm3WqsNdblC3Titiz7MVpzsF08KjgyDPIetBfV8bm9AXHRe3NzUGgeSzGu10QAxe3FoAevR/VmNUTsH9t0TEhMtnAG2rtYEVi7iZUYjBGWnZ/iuC3o5pKSvVUnSsraqxTjgp234na016RTkcHM2dwDHydIrXjWzocsV5mGQ0L4qKJZXpbqYX2e4hCLi4jy0x+QviPi6kL+plDOdBFMEeRtVfT9p/zcAs3VbA/hKB0W9vRNj+JLVgDgS4Hz9nDbS/8zAsGC6dPS4VPolsr0uVFgMizDOVc//9WkUA7iz4lBmtj/OLU5wKcUCQbo8NVevnHgqiZf68nHJB7VXuZz5z6WAAST0Cgc=
+
+
+whawty_auth_store__chaos_at_home:
+  default: 2
+  params:
+  - id: 1
+    scryptauth:
+      hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys__chaos_at_home['1'] }}"
+      cost: 12
+  - id: 2
+    scryptauth:
+      hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys__chaos_at_home['2'] }}"
+      cost: 12
+  - id: 3
+    argon2id:
+      time: 1
+      memory: 65536
+      threads: 4
+      length: 32
diff --git a/inventory/host_vars/ch-apps/whawty.yml b/inventory/host_vars/ch-apps/whawty.yml
index f2ff0a4f..a0ea111f 100644
--- a/inventory/host_vars/ch-apps/whawty.yml
+++ b/inventory/host_vars/ch-apps/whawty.yml
@@ -7,26 +7,11 @@ whawty_auth_instances:
   passwd.chaos-at-home.org:
     version: 0.2-rc9
     port: 3080
-    store:
-      default: 2
-      params:
-      - id: 1
-        scryptauth:
-          hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys['passwd.chaos-at-home.org']['1'] }}"
-          cost: 12
-      - id: 2
-        scryptauth:
-          hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys['passwd.chaos-at-home.org']['2'] }}"
-          cost: 12
-      - id: 3
-        argon2id:
-          time: 1
-          memory: 65536
-          threads: 4
-          length: 32
+    store: "{{ whawty_auth_store__chaos_at_home }}"
     sync:
       port: 3022
-      authorized_keys: "{{ users.equinox.ssh }}"
+      authorized_keys:
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsY3QIaN/S05EHZ9IF6GWgXG0wAh5qAxgQAq7ZLtNP8 whawty-auth-sync-chaos-at-home@ch-http-proxy
     storage:
       type: zfs
       parent: "{{ _whawty_auth_zfs_base_ }}"
diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml
index eabf7dbe..46e63c1d 100644
--- a/inventory/host_vars/ch-http-proxy.yml
+++ b/inventory/host_vars/ch-http-proxy.yml
@@ -54,6 +54,19 @@ prometheus_job_multitarget_blackbox__probe:
     hostname: "login.chaos-at-home.org"
 
 
+whawty_auth_store_instances:
+  chaos-at-home:
+    config: "{{ whawty_auth_store__chaos_at_home | combine({'basedir': '/var/lib/whawty/auth/chaos-at-home'}) }}"
+    permissions:
+      file-mode: "0600"
+      dir-mode: "0700"
+    sync:
+      type: client
+      hostname: 192.168.32.1
+      port: 3022
+      user: sync
+
+
 whawty_nginx_sso_backends:
   chaos-at-home:
     port: 1234
@@ -81,8 +94,14 @@ whawty_nginx_sso_logins:
         backend:
           bolt: {}
       auth:
-        static:
+        whawty:
+          store: /etc/whawty/auth/store-chaos-at-home.yml
           autoreload: yes
+          remote-upgrades:
+            url: https://127.0.0.1/api/update
+            http-host: passwd.chaos-at-home.org
+            tls:
+              server-name: passwd.chaos-at-home.org
       web:
         listen: 127.0.0.1:1234
         login:
@@ -92,8 +111,6 @@ whawty_nginx_sso_logins:
       prometheus:
         listen: 127.0.0.1:1235
 
-whawty_nginx_sso_login_static_credentials__chaos-at-home: "{{ vault_whawty_nginx_sso_login_static_credentials['chaos-at-home'] }}"
-
 prometheus_job_multitarget_whawty_nginx_sso:
   ch-http-proxy:
   - instance: "whawty-nginx-sso-{{ inventory_hostname }}-chaos-at-home"
diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml
index 91a55830..415e6774 100644
--- a/inventory/host_vars/ch-testvm-prometheus.yml
+++ b/inventory/host_vars/ch-testvm-prometheus.yml
@@ -35,29 +35,3 @@ network:
   - *_network_primary_
 
 ntp_variant: systemd-timesyncd
-
-
-
-###
-whawty_auth_store:
-  name: foo
-  config:
-    basedir: "/var/lib/whawty/auth/foo"
-    default: 1
-    params:
-    - id: 1
-      argon2id:
-        time: 1
-        memory: 65536 ## 64 MB
-        threads: 4
-        length: 32
-  permissions:
-    owner: root
-    group: foo
-    file-mode: "0640"
-    dir-mode: "0750"
-  sync:
-    type: client
-    hostname: 192.168.32.1
-    port: 3022
-    user: sync
author	Christian Pointner <equinox@spreadspace.org>	2024-01-28 02:11:05 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2024-01-28 02:11:05 +0100
commit	24b4917d8186551bcf987b72d1c3588e4705096a (patch)
tree	4cba19d0999095ac27edafc9f88513fdaa80ab16 /inventory
parent	move ch-auth-legacy to _graveyard_ (diff)