diff options
-rw-r--r-- | chaos-at-home/ch-http-proxy.yml | 2 | ||||
-rw-r--r-- | chaos-at-home/host_vars/ch-http-proxy.yml | 22 | ||||
-rw-r--r-- | files/chaos-at-home/bind-zones/db.chaos-at-home.org | 4 | ||||
-rw-r--r-- | inventory/host_vars/ch-http-proxy.yml | 35 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/base/defaults/main.yml | 8 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/base/tasks/main.yml | 20 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 | 19 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 | 31 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/login/defaults/main.yml | 61 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/login/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/nginx/auth/whawty-sso/login/tasks/main.yml | 64 |
11 files changed, 271 insertions, 1 deletions
diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml index cab4e450..aa2ad3ef 100644 --- a/chaos-at-home/ch-http-proxy.yml +++ b/chaos-at-home/ch-http-proxy.yml @@ -13,6 +13,8 @@ - role: apt-repo/spreadspace - role: x509/acmetool/base - role: nginx/base + - role: nginx/auth/whawty-sso/base + - role: nginx/auth/whawty-sso/login post_tasks: #### web.chaos-at-home.org (default-server) - name: create directory for default server diff --git a/chaos-at-home/host_vars/ch-http-proxy.yml b/chaos-at-home/host_vars/ch-http-proxy.yml new file mode 100644 index 00000000..37bfb8c6 --- /dev/null +++ b/chaos-at-home/host_vars/ch-http-proxy.yml @@ -0,0 +1,22 @@ +$ANSIBLE_VAULT;1.2;AES256;chaos-at-home +39653130626231373336313238643865323834663239623964316638646436636531303761356163 +3931636530306337306466383333626530663061326563620a366236373962346564386332626239 +33626334663639363731376161666563646135653735343534306639393136623431636165633333 +3233636565326531630a646639366238343466316131653236306561346538343161386136613736 +32336165353566323266613735356138336261613737653064653866313564626339663262303266 +30323535623965613938383930383938663938363738613636643566323234613433393439366434 +64333738333032316538613538356563333562636436636436326133393434373061373661363565 +38326332343038353365616634306366663264383564383762333230623530343061623439626631 +33646339383532616566376633663430383530663166373163613163303564353062316166383730 +35633461333238333532303434326132656339666232313965316264343739393766323938303062 +62616465613230356465656537613131363135663832346530623232626436646531363931633366 +66396261653130623533616530313161333038653334653039623138353337323631613137383664 +35353563376530373131623739393930613365346230343231636632613234613663366438646236 +37356162323938653734313064393330353437653962316565376233326461636162636163353430 +32333939373864653264316263346434616631373830656530313337626232633432633937316234 +64613131396634613962313766373135383030616137633634326637373966633236643463396265 +62313364313365643939363139366361636137613965616632323734633034633964333032656562 +30663963323038323734633761303632633666373736303263386231653538363933623064303039 +65613466323933386263353335636137316162373563613463636663643761633430333138383931 +35393263383230393333303539663534646465333862616533346161386665333864323937353536 +3438 diff --git a/files/chaos-at-home/bind-zones/db.chaos-at-home.org b/files/chaos-at-home/bind-zones/db.chaos-at-home.org index 000864bf..a27f0c1d 100644 --- a/files/chaos-at-home/bind-zones/db.chaos-at-home.org +++ b/files/chaos-at-home/bind-zones/db.chaos-at-home.org @@ -2,7 +2,7 @@ $origin chaos-at-home.org. $TTL 1h @ SOA ns0 hostmaster ( - 2023051600 + 2023111200 1h 15m 30d @@ -59,12 +59,14 @@ magenta.jump CNAME magenta.router magenta.web cNAME magenta.router magenta.mail CNAME magenta.router magenta.passwd CNAME magenta.router +magenta.login CNAME magenta.router router 600 CNAME magenta.router jump 600 CNAME magenta.jump web 600 CNAME magenta.web mail 600 CNAME magenta.mail passwd 600 CNAME magenta.passwd +login 600 CNAME magenta.login imap CNAME mail webmail CNAME web diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml index 070fbfd6..255dbebe 100644 --- a/inventory/host_vars/ch-http-proxy.yml +++ b/inventory/host_vars/ch-http-proxy.yml @@ -34,3 +34,38 @@ network: acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" + + +whawty_nginx_sso_backends: + chaos-at-home: + port: 1234 + login_url: https://login.chaos-at-home.org/login + +whawty_nginx_sso_logins: + chaos-at-home: + hostname: login.chaos-at-home.org + tls: + certificate_provider: acmetool + certificate_config: + request: + challenge: + http-self-test: false + config: + cookie: + domain: ".chaos-at-home.org" + name: __Secure-chaos-at-home-sso + secure: yes + expire: 23h + keys: + - name: 2023-11 + ed25519: + private-key: "{{ vault_whawty_nginx_sso_login_keys['chaos-at-home']['2023-11'] }}" + auth: + static: + autoreload: yes + web: + listen: 127.0.0.1:1234 + login: + title: "chaoSSO login" + +whawty_nginx_sso_login_static_credentials__chaos-at-home: "{{ vault_whawty_nginx_sso_login_static_credentials['chaos-at-home'] }}" diff --git a/roles/nginx/auth/whawty-sso/base/defaults/main.yml b/roles/nginx/auth/whawty-sso/base/defaults/main.yml new file mode 100644 index 00000000..62c3e318 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/defaults/main.yml @@ -0,0 +1,8 @@ +--- +# whawty_nginx_sso_backends: +# example: +# port: 1234 +# login_url: https://login.example.com/login +# foo: +# port: 2345 +# login_url: https://login.foo.bar/login diff --git a/roles/nginx/auth/whawty-sso/base/tasks/main.yml b/roles/nginx/auth/whawty-sso/base/tasks/main.yml new file mode 100644 index 00000000..a410cfeb --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/tasks/main.yml @@ -0,0 +1,20 @@ +--- +# TODO: create whawty-nginx-sso user? + +- name: install nginx-sso package + apt: + name: whawty-nginx-sso + state: present + +- name: generate nginx snippets + loop: "{{ whawty_nginx_sso_backends | dict2items }}" + loop_control: + label: "{{ item.key }}" + template: + src: nginx.snippet.j2 + dest: "/etc/nginx/snippets/whawty-sso-{{ item.key }}.conf" + +- name: install systemd service unit + template: + src: whawty-nginx-sso@.service.j2 + dest: /etc/systemd/system/whawty-nginx-sso@.service diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 new file mode 100644 index 00000000..f8f67c45 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 @@ -0,0 +1,19 @@ +auth_request /auth; +error_page 401 = @error401; + +location /auth { + internal; + + proxy_pass 127.0.0.1:{{ item.value.port }}/auth; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Origin-URI $request_uri; + proxy_set_header X-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +} + +location @error401 { + return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri; +} diff --git a/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 new file mode 100644 index 00000000..d4a787f3 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description=whawty nginx SSO authentication daemon (%i) + +[Service] +Restart=on-failure +#Environment="WHAWTY_NGINX_SSO_DEBUG=1" +ExecStart=/usr/bin/whawty-nginx-sso --config /etc/nginx/auth/whawty-sso/%i.yml run + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml new file mode 100644 index 00000000..c9261474 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml @@ -0,0 +1,61 @@ +--- +# whawty_nginx_sso_logins: +# example: +# hostname: login.example.com +# tls: +# certificate_provider: .... +# ... +# config: +# cookie: +# domain: ".example.com" +# name: __Secure-example-sso +# secure: yes +# expire: 168h +# keys: +# - name: 2023-11 +# ed25519: +# private-key: |- +# .... +# auth: +# ldap: +# servers: +# - ldaps://ldap1.example.com +# - ldaps://ldap2.example.com +# tls: +# start-tls: false +# insecure-skip-verify: false +# ca-certificates: |- +# -----BEGIN CERTIFICATE----- +# ... +# -----END CERTIFICATE----- +# web: +# listen: 127.0.0.1:1234 +# login: +# title: "example.com - Login" +# foo: +# hostname: login.foo.bar +# tls: +# certificate_provider: .... +# ... +# config: +# cookie: +# domain: ".example.com" +# name: __Secure-foobar-sso +# secure: yes +# expire: 24h +# keys: +# - name: 2023-11 +# ed25519: +# private-key: |- +# .... +# auth: +# static: +# autoreload: yes +# web: +# listen: 127.0.0.1:2345 +# login: +# title: "foobar - Login" + +# whawty_nginx_sso_login_static_credentials__foo: +# admin: "very-secret" +# equinox: "secret" diff --git a/roles/nginx/auth/whawty-sso/login/handlers/main.yml b/roles/nginx/auth/whawty-sso/login/handlers/main.yml new file mode 100644 index 00000000..f4bbf308 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart whawty-nginx-sso + loop: "{{ whawty_nginx_sso_logins | list }}" + service: + name: "whawty-nginx-sso@{{ item }}.service" + state: restarted diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml new file mode 100644 index 00000000..1ab43c8e --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml @@ -0,0 +1,64 @@ +--- +- name: create configuration directory + file: + path: /etc/nginx/auth/whawty-sso + state: directory + +- name: generate htpasswd files for static backends + loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.auth.static', 'defined') | selectattr('value.config.auth.static.htpasswd', 'undefined') }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + {% for user,password in lookup('vars', 'whawty_nginx_sso_login_static_credentials__'~item.key).items() %} + {{ user }}:{{ password | password_hash('bcrypt', (user~'@whawty-nginx-sso_'~item.key) | bcrypt_salt) }} + {% endfor %} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd" + mode: 0400 + + +- name: generate configuration file + loop: "{{ whawty_nginx_sso_logins | dict2items }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + # ansible generated + {% set ssoconf = item.value.config %} + {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %} + {% set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %} + {% endif %} + {{ ssoconf | to_nice_yaml(indent=2) }} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml" + mode: 0400 + notify: restart whawty-nginx-sso + +- name: make sure nginx-sso services are enabled and started + loop: "{{ whawty_nginx_sso_logins | list }}" + systemd: + name: "whawty-nginx-sso@{{ item }}.service" + daemon_reload: yes + state: started + enabled: yes + +- name: configure vhost for whawty nginx-sso login + loop: "{{ whawty_nginx_sso_logins | dict2items }}" + loop_control: + label: "{{ item.key }}" + vars: + nginx_vhost: + name: "whawty-nginx-sso-{{ item.key }}" + template: generic + tls: + certificate_provider: acmetool + certificate_config: + request: + challenge: + http-self-test: false + hostnames: + - "{{ item.value.hostname }}" + locations: + '/': + proxy_pass: "http://{{ item.value.config.web.listen }}/" + include_role: + name: nginx/vhost |