summaryrefslogtreecommitdiff
path: root/roles/nginx/auth/whawty-sso
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2023-11-13 21:56:24 +0100
committerChristian Pointner <equinox@spreadspace.org>2023-11-13 21:56:24 +0100
commita0c1aa799d94c3ce0c697bfd6777e0233dd77d92 (patch)
tree0c2b858fc4526bc64edc1668da4580f8d54d6ef3 /roles/nginx/auth/whawty-sso
parentadd role nginx/auth/whawty-sso (diff)
finalize whawty.nginx-sso roles
Diffstat (limited to 'roles/nginx/auth/whawty-sso')
-rw-r--r--roles/nginx/auth/whawty-sso/auth/defaults/main.yml30
-rw-r--r--roles/nginx/auth/whawty-sso/auth/handlers/main.yml6
-rw-r--r--roles/nginx/auth/whawty-sso/auth/tasks/main.yml25
-rw-r--r--roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j24
-rw-r--r--roles/nginx/auth/whawty-sso/login/defaults/main.yml2
5 files changed, 64 insertions, 3 deletions
diff --git a/roles/nginx/auth/whawty-sso/auth/defaults/main.yml b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
new file mode 100644
index 00000000..ca08addb
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
@@ -0,0 +1,30 @@
+---
+# whawty_nginx_sso_auths:
+# example:
+# config:
+# cookie:
+# domain: ".example.com"
+# name: __Secure-example-sso
+# secure: yes
+# expire: 168h
+# keys:
+# - name: 2023-11
+# ed25519:
+# public-key: |-
+# ....
+# web:
+# listen: 127.0.0.1:1234
+# foo:
+# config:
+# cookie:
+# domain: ".foo.bar"
+# name: __Secure-foobar-sso
+# secure: yes
+# expire: 24h
+# keys:
+# - name: 2023-11
+# ed25519:
+# public-key: |-
+# ....
+# web:
+# listen: 127.0.0.1:2345
diff --git a/roles/nginx/auth/whawty-sso/auth/handlers/main.yml b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml
new file mode 100644
index 00000000..fad676ce
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart whawty-nginx-sso
+ loop: "{{ whawty_nginx_sso_auths | list }}"
+ service:
+ name: "whawty-nginx-sso@{{ item }}.service"
+ state: restarted
diff --git a/roles/nginx/auth/whawty-sso/auth/tasks/main.yml b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
new file mode 100644
index 00000000..fa6048dd
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: create configuration directory
+ file:
+ path: /etc/nginx/auth/whawty-sso
+ state: directory
+
+- name: generate configuration file
+ loop: "{{ whawty_nginx_sso_auths | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ copy:
+ content: |
+ # ansible generated
+ {{ item.value.config | to_nice_yaml(indent=2) }}
+ dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
+ mode: 0400
+ notify: restart whawty-nginx-sso
+
+- name: make sure nginx-sso services are enabled and started
+ loop: "{{ whawty_nginx_sso_auths | list }}"
+ systemd:
+ name: "whawty-nginx-sso@{{ item }}.service"
+ daemon_reload: yes
+ state: started
+ enabled: yes
diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
index f8f67c45..87f71577 100644
--- a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
+++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
@@ -4,7 +4,7 @@ error_page 401 = @error401;
location /auth {
internal;
- proxy_pass 127.0.0.1:{{ item.value.port }}/auth;
+ proxy_pass http://127.0.0.1:{{ item.value.port }}/auth;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Origin-URI $request_uri;
@@ -15,5 +15,5 @@ location /auth {
}
location @error401 {
- return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri;
+ return 303 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri;
}
diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
index c9261474..6f7afe04 100644
--- a/roles/nginx/auth/whawty-sso/login/defaults/main.yml
+++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
@@ -39,7 +39,7 @@
# ...
# config:
# cookie:
-# domain: ".example.com"
+# domain: ".foo.bar"
# name: __Secure-foobar-sso
# secure: yes
# expire: 24h