add role nginx/auth/whawty-sso

4 files changed, 78 insertions, 0 deletions

diff --git a/roles/nginx/auth/whawty-sso/base/defaults/main.yml b/roles/nginx/auth/whawty-sso/base/defaults/main.yml
new file mode 100644
index 00000000..62c3e318
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+# whawty_nginx_sso_backends:
+#   example:
+#     port: 1234
+#     login_url: https://login.example.com/login
+#   foo:
+#     port: 2345
+#     login_url: https://login.foo.bar/login
diff --git a/roles/nginx/auth/whawty-sso/base/tasks/main.yml b/roles/nginx/auth/whawty-sso/base/tasks/main.yml
new file mode 100644
index 00000000..a410cfeb
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+# TODO: create whawty-nginx-sso user?
+
+- name: install nginx-sso package
+  apt:
+    name: whawty-nginx-sso
+    state: present
+
+- name: generate nginx snippets
+  loop: "{{ whawty_nginx_sso_backends | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  template:
+    src: nginx.snippet.j2
+    dest: "/etc/nginx/snippets/whawty-sso-{{ item.key }}.conf"
+
+- name: install systemd service unit
+  template:
+    src: whawty-nginx-sso@.service.j2
+    dest: /etc/systemd/system/whawty-nginx-sso@.service
diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
new file mode 100644
index 00000000..f8f67c45
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
@@ -0,0 +1,19 @@
+auth_request /auth;
+error_page 401 = @error401;
+
+location /auth {
+    internal;
+
+    proxy_pass 127.0.0.1:{{ item.value.port }}/auth;
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header X-Origin-URI $request_uri;
+    proxy_set_header X-Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location @error401 {
+    return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri;
+}
diff --git a/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2
new file mode 100644
index 00000000..d4a787f3
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2
@@ -0,0 +1,31 @@
+[Unit]
+Description=whawty nginx SSO authentication daemon (%i)
+
+[Service]
+Restart=on-failure
+#Environment="WHAWTY_NGINX_SSO_DEBUG=1"
+ExecStart=/usr/bin/whawty-nginx-sso --config /etc/nginx/auth/whawty-sso/%i.yml run
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target