nginx/auth/whawty-sso: add support for release 0.2 and revokable sessions

author: Christian Pointner <equinox@spreadspace.org> 2023-11-29 23:45:35 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2023-11-29 23:45:35 +0100
commit: 58feb5f1ab2e016464cea2f13b7f1f28cb14b6b7 (patch)
tree: ea9c3f417f5f81003b3e24818ddca4fa5ef347e2 /roles/nginx
parent: ch-equinox-*: installing missing kicad packages (diff)
4 files changed, 47 insertions, 7 deletions
diff --git a/roles/nginx/auth/whawty-sso/auth/defaults/main.yml b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
index ca08addb..e42a4b44 100644
--- a/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
+++ b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
@@ -10,8 +10,10 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             public-key: |-
+#             public-key-data: |-
 #               ....
+#         backend:
+#           bolt: {}
 #       web:
 #         listen: 127.0.0.1:1234
 #   foo:
@@ -24,7 +26,12 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             public-key: |-
+#             public-key-data: |-
 #               ....
+#         backend:
+#           sync:
+#             base-url: http://192.0.2.1:1234
+#           bolt:
+#             path: /path/to/db.bolt
 #       web:
 #         listen: 127.0.0.1:2345
diff --git a/roles/nginx/auth/whawty-sso/auth/tasks/main.yml b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
index fa6048dd..5ae64b9b 100644
--- a/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
+++ b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
@@ -4,6 +4,15 @@
     path: /etc/nginx/auth/whawty-sso
     state: directory
 
+- name: make sure store backend directories exist
+  loop: "{{ whawty_nginx_sso_auths | dict2items | selectattr('value.config.cookie.backend.bolt', 'defined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  file:
+    path: "{{ item.value.config.cookie.backend.bolt.path | default('/var/lib/whawty/nginx-sso/'~item.key~'.bolt') | dirname }}"
+    state: directory
+    mode: 0700
+
 - name: generate configuration file
   loop: "{{ whawty_nginx_sso_auths | dict2items }}"
   loop_control:
@@ -11,7 +20,11 @@
   copy:
     content: |
       # ansible generated
-      {{ item.value.config | to_nice_yaml(indent=2) }}
+      {% set ssoconf = item.value.config %}
+      {% if 'bolt' in ssoconf.cookie.backend and 'path' not in ssoconf.cookie.backend.bolt %}
+      {%   set _dummy = ssoconf.cookie.backend.bolt.update({'path': '/var/lib/whawty/nginx-sso/'~item.key~'.bolt'}) %}
+      {% endif %}
+      {{ ssoconf | to_nice_yaml(indent=2) }}
     dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
     mode: 0400
   notify: restart whawty-nginx-sso
diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
index 6f7afe04..6e6249e7 100644
--- a/roles/nginx/auth/whawty-sso/login/defaults/main.yml
+++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
@@ -14,17 +14,19 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             private-key: |-
+#             private-key-data: |-
 #               ....
+#         backend:
+#           bolt: {}
 #       auth:
 #         ldap:
 #           servers:
 #           - ldaps://ldap1.example.com
 #           - ldaps://ldap2.example.com
+#           start-tls: false
 #           tls:
-#             start-tls: false
 #             insecure-skip-verify: false
-#             ca-certificates: |-
+#             ca-certificates-data: |-
 #               -----BEGIN CERTIFICATE-----
 #               ...
 #               -----END CERTIFICATE-----
@@ -46,8 +48,11 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             private-key: |-
+#             private-key-data: |-
 #               ....
+#         backend:
+#           bolt:
+#             path: /path/to/db.bolt
 #       auth:
 #         static:
 #           autoreload: yes
@@ -55,6 +60,9 @@
 #         listen: 127.0.0.1:2345
 #         login:
 #           title: "foobar - Login"
+#         revocations:
+#           tokens:
+#           - secret
 
 # whawty_nginx_sso_login_static_credentials__foo:
 #   admin: "very-secret"
diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
index 342c8521..e2267238 100644
--- a/roles/nginx/auth/whawty-sso/login/tasks/main.yml
+++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
@@ -16,6 +16,15 @@
     dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd"
     mode: 0400
 
+- name: make sure store backend directories exist
+  loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.cookie.backend.bolt', 'defined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  file:
+    path: "{{ item.value.config.cookie.backend.bolt.path | default('/var/lib/whawty/nginx-sso/'~item.key~'.bolt') | dirname }}"
+    state: directory
+    mode: 0700
+
 
 - name: generate configuration file
   loop: "{{ whawty_nginx_sso_logins | dict2items }}"
@@ -28,6 +37,9 @@
       {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %}
       {%   set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %}
       {% endif %}
+      {% if 'bolt' in ssoconf.cookie.backend and 'path' not in ssoconf.cookie.backend.bolt %}
+      {%   set _dummy = ssoconf.cookie.backend.bolt.update({'path': '/var/lib/whawty/nginx-sso/'~item.key~'.bolt'}) %}
+      {% endif %}
       {{ ssoconf | to_nice_yaml(indent=2) }}
     dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
     mode: 0400
author	Christian Pointner <equinox@spreadspace.org>	2023-11-29 23:45:35 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2023-11-29 23:45:35 +0100
commit	58feb5f1ab2e016464cea2f13b7f1f28cb14b6b7 (patch)
tree	ea9c3f417f5f81003b3e24818ddca4fa5ef347e2 /roles/nginx
parent	ch-equinox-*: installing missing kicad packages (diff)