diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-11-13 18:31:17 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-11-13 18:31:17 +0100 |
| commit | 937d3c3fa6290084346a8aa798166c912736fc81 (patch) | |
| tree | 93727236b0bb89d0e1b24d32bf2b507677b199d2 /roles/nginx/auth/whawty-sso/login | |
| parent | upgraded a number of hosts to bookworm (diff) | |
add role nginx/auth/whawty-sso
Diffstat (limited to 'roles/nginx/auth/whawty-sso/login')
| -rw-r--r-- | roles/nginx/auth/whawty-sso/login/defaults/main.yml | 61 | ||||
| -rw-r--r-- | roles/nginx/auth/whawty-sso/login/handlers/main.yml | 6 | ||||
| -rw-r--r-- | roles/nginx/auth/whawty-sso/login/tasks/main.yml | 64 |
3 files changed, 131 insertions, 0 deletions
diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml new file mode 100644 index 00000000..c9261474 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml @@ -0,0 +1,61 @@ +--- +# whawty_nginx_sso_logins: +# example: +# hostname: login.example.com +# tls: +# certificate_provider: .... +# ... +# config: +# cookie: +# domain: ".example.com" +# name: __Secure-example-sso +# secure: yes +# expire: 168h +# keys: +# - name: 2023-11 +# ed25519: +# private-key: |- +# .... +# auth: +# ldap: +# servers: +# - ldaps://ldap1.example.com +# - ldaps://ldap2.example.com +# tls: +# start-tls: false +# insecure-skip-verify: false +# ca-certificates: |- +# -----BEGIN CERTIFICATE----- +# ... +# -----END CERTIFICATE----- +# web: +# listen: 127.0.0.1:1234 +# login: +# title: "example.com - Login" +# foo: +# hostname: login.foo.bar +# tls: +# certificate_provider: .... +# ... +# config: +# cookie: +# domain: ".example.com" +# name: __Secure-foobar-sso +# secure: yes +# expire: 24h +# keys: +# - name: 2023-11 +# ed25519: +# private-key: |- +# .... +# auth: +# static: +# autoreload: yes +# web: +# listen: 127.0.0.1:2345 +# login: +# title: "foobar - Login" + +# whawty_nginx_sso_login_static_credentials__foo: +# admin: "very-secret" +# equinox: "secret" diff --git a/roles/nginx/auth/whawty-sso/login/handlers/main.yml b/roles/nginx/auth/whawty-sso/login/handlers/main.yml new file mode 100644 index 00000000..f4bbf308 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart whawty-nginx-sso + loop: "{{ whawty_nginx_sso_logins | list }}" + service: + name: "whawty-nginx-sso@{{ item }}.service" + state: restarted diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml new file mode 100644 index 00000000..1ab43c8e --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml @@ -0,0 +1,64 @@ +--- +- name: create configuration directory + file: + path: /etc/nginx/auth/whawty-sso + state: directory + +- name: generate htpasswd files for static backends + loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.auth.static', 'defined') | selectattr('value.config.auth.static.htpasswd', 'undefined') }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + {% for user,password in lookup('vars', 'whawty_nginx_sso_login_static_credentials__'~item.key).items() %} + {{ user }}:{{ password | password_hash('bcrypt', (user~'@whawty-nginx-sso_'~item.key) | bcrypt_salt) }} + {% endfor %} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd" + mode: 0400 + + +- name: generate configuration file + loop: "{{ whawty_nginx_sso_logins | dict2items }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + # ansible generated + {% set ssoconf = item.value.config %} + {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %} + {% set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %} + {% endif %} + {{ ssoconf | to_nice_yaml(indent=2) }} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml" + mode: 0400 + notify: restart whawty-nginx-sso + +- name: make sure nginx-sso services are enabled and started + loop: "{{ whawty_nginx_sso_logins | list }}" + systemd: + name: "whawty-nginx-sso@{{ item }}.service" + daemon_reload: yes + state: started + enabled: yes + +- name: configure vhost for whawty nginx-sso login + loop: "{{ whawty_nginx_sso_logins | dict2items }}" + loop_control: + label: "{{ item.key }}" + vars: + nginx_vhost: + name: "whawty-nginx-sso-{{ item.key }}" + template: generic + tls: + certificate_provider: acmetool + certificate_config: + request: + challenge: + http-self-test: false + hostnames: + - "{{ item.value.hostname }}" + locations: + '/': + proxy_pass: "http://{{ item.value.config.web.listen }}/" + include_role: + name: nginx/vhost |