diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-11-13 18:31:17 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-11-13 18:31:17 +0100 |
commit | 937d3c3fa6290084346a8aa798166c912736fc81 (patch) | |
tree | 93727236b0bb89d0e1b24d32bf2b507677b199d2 /roles/nginx/auth/whawty-sso/login/tasks/main.yml | |
parent | upgraded a number of hosts to bookworm (diff) |
add role nginx/auth/whawty-sso
Diffstat (limited to 'roles/nginx/auth/whawty-sso/login/tasks/main.yml')
-rw-r--r-- | roles/nginx/auth/whawty-sso/login/tasks/main.yml | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml new file mode 100644 index 00000000..1ab43c8e --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml @@ -0,0 +1,64 @@ +--- +- name: create configuration directory + file: + path: /etc/nginx/auth/whawty-sso + state: directory + +- name: generate htpasswd files for static backends + loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.auth.static', 'defined') | selectattr('value.config.auth.static.htpasswd', 'undefined') }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + {% for user,password in lookup('vars', 'whawty_nginx_sso_login_static_credentials__'~item.key).items() %} + {{ user }}:{{ password | password_hash('bcrypt', (user~'@whawty-nginx-sso_'~item.key) | bcrypt_salt) }} + {% endfor %} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd" + mode: 0400 + + +- name: generate configuration file + loop: "{{ whawty_nginx_sso_logins | dict2items }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + # ansible generated + {% set ssoconf = item.value.config %} + {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %} + {% set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %} + {% endif %} + {{ ssoconf | to_nice_yaml(indent=2) }} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml" + mode: 0400 + notify: restart whawty-nginx-sso + +- name: make sure nginx-sso services are enabled and started + loop: "{{ whawty_nginx_sso_logins | list }}" + systemd: + name: "whawty-nginx-sso@{{ item }}.service" + daemon_reload: yes + state: started + enabled: yes + +- name: configure vhost for whawty nginx-sso login + loop: "{{ whawty_nginx_sso_logins | dict2items }}" + loop_control: + label: "{{ item.key }}" + vars: + nginx_vhost: + name: "whawty-nginx-sso-{{ item.key }}" + template: generic + tls: + certificate_provider: acmetool + certificate_config: + request: + challenge: + http-self-test: false + hostnames: + - "{{ item.value.hostname }}" + locations: + '/': + proxy_pass: "http://{{ item.value.config.web.listen }}/" + include_role: + name: nginx/vhost |