diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-11-13 21:56:24 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-11-13 21:56:24 +0100 |
| commit | a0c1aa799d94c3ce0c697bfd6777e0233dd77d92 (patch) | |
| tree | 0c2b858fc4526bc64edc1668da4580f8d54d6ef3 /roles/nginx/auth/whawty-sso | |
| parent | add role nginx/auth/whawty-sso (diff) | |
finalize whawty.nginx-sso roles
Diffstat (limited to 'roles/nginx/auth/whawty-sso')
5 files changed, 64 insertions, 3 deletions
diff --git a/roles/nginx/auth/whawty-sso/auth/defaults/main.yml b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml new file mode 100644 index 00000000..ca08addb --- /dev/null +++ b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml @@ -0,0 +1,30 @@ +--- +# whawty_nginx_sso_auths: +# example: +# config: +# cookie: +# domain: ".example.com" +# name: __Secure-example-sso +# secure: yes +# expire: 168h +# keys: +# - name: 2023-11 +# ed25519: +# public-key: |- +# .... +# web: +# listen: 127.0.0.1:1234 +# foo: +# config: +# cookie: +# domain: ".foo.bar" +# name: __Secure-foobar-sso +# secure: yes +# expire: 24h +# keys: +# - name: 2023-11 +# ed25519: +# public-key: |- +# .... +# web: +# listen: 127.0.0.1:2345 diff --git a/roles/nginx/auth/whawty-sso/auth/handlers/main.yml b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml new file mode 100644 index 00000000..fad676ce --- /dev/null +++ b/roles/nginx/auth/whawty-sso/auth/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart whawty-nginx-sso + loop: "{{ whawty_nginx_sso_auths | list }}" + service: + name: "whawty-nginx-sso@{{ item }}.service" + state: restarted diff --git a/roles/nginx/auth/whawty-sso/auth/tasks/main.yml b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml new file mode 100644 index 00000000..fa6048dd --- /dev/null +++ b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: create configuration directory + file: + path: /etc/nginx/auth/whawty-sso + state: directory + +- name: generate configuration file + loop: "{{ whawty_nginx_sso_auths | dict2items }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + # ansible generated + {{ item.value.config | to_nice_yaml(indent=2) }} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml" + mode: 0400 + notify: restart whawty-nginx-sso + +- name: make sure nginx-sso services are enabled and started + loop: "{{ whawty_nginx_sso_auths | list }}" + systemd: + name: "whawty-nginx-sso@{{ item }}.service" + daemon_reload: yes + state: started + enabled: yes diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 index f8f67c45..87f71577 100644 --- a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 +++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 @@ -4,7 +4,7 @@ error_page 401 = @error401; location /auth { internal; - proxy_pass 127.0.0.1:{{ item.value.port }}/auth; + proxy_pass http://127.0.0.1:{{ item.value.port }}/auth; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Origin-URI $request_uri; @@ -15,5 +15,5 @@ location /auth { } location @error401 { - return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri; + return 303 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri; } diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml index c9261474..6f7afe04 100644 --- a/roles/nginx/auth/whawty-sso/login/defaults/main.yml +++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml @@ -39,7 +39,7 @@ # ... # config: # cookie: -# domain: ".example.com" +# domain: ".foo.bar" # name: __Secure-foobar-sso # secure: yes # expire: 24h |