10 files changed, 163 insertions, 51 deletions

diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml
index 0e22eb01..5d44104b 100644
--- a/chaos-at-home/ch-mon.yml
+++ b/chaos-at-home/ch-mon.yml
@@ -14,6 +14,8 @@
   - role: storage/lvm/groups
   - role: nginx/base
   - role: apt-repo/spreadspace
+  - role: nginx/auth/whawty-sso/base
+  - role: nginx/auth/whawty-sso/auth
   - role: monitoring/prometheus/server
   - role: monitoring/prometheus/exporter
   - role: monitoring/prometheus/alertmanager
diff --git a/chaos-at-home/host_vars/ch-http-proxy.yml b/chaos-at-home/host_vars/ch-http-proxy.yml
index 37bfb8c6..07dc655d 100644
--- a/chaos-at-home/host_vars/ch-http-proxy.yml
+++ b/chaos-at-home/host_vars/ch-http-proxy.yml
@@ -1,22 +1,22 @@
 $ANSIBLE_VAULT;1.2;AES256;chaos-at-home
-39653130626231373336313238643865323834663239623964316638646436636531303761356163
-3931636530306337306466383333626530663061326563620a366236373962346564386332626239
-33626334663639363731376161666563646135653735343534306639393136623431636165633333
-3233636565326531630a646639366238343466316131653236306561346538343161386136613736
-32336165353566323266613735356138336261613737653064653866313564626339663262303266
-30323535623965613938383930383938663938363738613636643566323234613433393439366434
-64333738333032316538613538356563333562636436636436326133393434373061373661363565
-38326332343038353365616634306366663264383564383762333230623530343061623439626631
-33646339383532616566376633663430383530663166373163613163303564353062316166383730
-35633461333238333532303434326132656339666232313965316264343739393766323938303062
-62616465613230356465656537613131363135663832346530623232626436646531363931633366
-66396261653130623533616530313161333038653334653039623138353337323631613137383664
-35353563376530373131623739393930613365346230343231636632613234613663366438646236
-37356162323938653734313064393330353437653962316565376233326461636162636163353430
-32333939373864653264316263346434616631373830656530313337626232633432633937316234
-64613131396634613962313766373135383030616137633634326637373966633236643463396265
-62313364313365643939363139366361636137613965616632323734633034633964333032656562
-30663963323038323734633761303632633666373736303263386231653538363933623064303039
-65613466323933386263353335636137316162373563613463636663643761633430333138383931
-35393263383230393333303539663534646465333862616533346161386665333864323937353536
-3438
+63313961666162316532353939366130396166333935653066343665353566323661373639356232
+6431656639646530353438666538373839323661613135300a373662616166643566316437353265
+39386362623134613863616261386565643862343839623630613338326139633031393965356234
+6334646538373032640a636231393932633233663031376463353861316639653733643335393438
+61623161396630633637376261666162633063346266373337393866396366326432633832643530
+33333432643834303634646335356535346538326462663663356431613762643138383635663531
+33323534376534616163313064336361373636653266356430303163363031663438316439306533
+38343333346162303639343937663664633031613638306234373961333762333039313962313232
+31323736633934356637633666363565656532343261353465366633333338363834393738373933
+65623532333363316165643437643935336436313230303366313131393131653636666139303034
+63623231303833356563613538396638653235613430363537316566386466643565316262363739
+63323937383337633039323138626235613130373931636437613836616331356633346566306433
+34333336326634333732643839333634323736633363633365626132633562613730356638336637
+64306463633465363362393635366435353633393836323231326435346163313436333130636639
+64653331356331356464656530626235363965323135323135643239336230656337356362333261
+38356161396334616636323163376463626465393932376662336333373133656361663236346237
+34373439383065313166656439303738383564356361663835633433636432313365336565303036
+39396330323265313665353931383563666439353964346661613964363536613237373663393232
+37303162396133646233646564313263393830353962306232653930393766303830346165613439
+33396666623238636363653066316366393636336232623162303565363563666635333336373335
+36663763323931666362663637663365616236333065383961633933346164333261
diff --git a/chaos-at-home/host_vars/ch-mon.yml b/chaos-at-home/host_vars/ch-mon.yml
index 96c4c285..bf25aa19 100644
--- a/chaos-at-home/host_vars/ch-mon.yml
+++ b/chaos-at-home/host_vars/ch-mon.yml
@@ -1,24 +1,27 @@
 $ANSIBLE_VAULT;1.2;AES256;chaos-at-home
-65383763373634393962376161393736376237393739343163323137353139623336313561356230
-6631343766386232636464383333623539666465346130640a343235623237623561356664316365
-38613035306664383438376535386437376365623435633638303834653362303935333431633833
-3366646538633830360a666362336161373539366264353733323163386566633163643931386432
-33393135353563343132323931333335613437333330626261616139386433383432363434633033
-61353431366432613164663036643730376663373762643031333435303638653065376165623239
-31643464323531626664316330373130346139623561373539333839646132306161303064356633
-65636135396436663931313637643963636336333132353233626661636564323666636432613666
-61373661306133363765356531373666313836383334616361656131313033326436633036623766
-30373366636563303536303964363538346432353230343037643563656365613330323036353565
-61656537643531373530613035636365306533653462303965353530653838353365393139383632
-38626465326165616433383639623162636331346331393738653464623861646165313431363463
-64663231346261323039353930326234343236313338323561646432613835363334353737306333
-30383035306431336266386535643066313062626333666464313136333363633530663838326664
-65346466616631663138626136626263666637323335323238613232306235363532396638646535
-63323836363735333630663330383537343731333865396337336661356237623737643565373431
-33626633323034663538653837663432386635363734363136303533663964363936353937613235
-36353662383362386633313565643430343764353562373132636638393834356631616664613233
-64363330323564666462343532323335306534643832643930626132303539383635643133633435
-30303664636139316333326164383131306234666230646661616438323432653264313733363237
-61313433386165396466653738393363653365363930353264613061656664393131396363343230
-30353966336662313236396233636436356366636633376437343937333561353661343737343738
-386131363034363236356466313463313635
+31326635666435336464393961346139333735306339373262373262373932363632336230346435
+3836323530613262643763666563336264393539646438310a613461626465313138363231393132
+38643134323531393866383338323064343863636630613263363563303666366664646638636535
+3439613635393937640a613864313338346365323037663066346332313334633461363937363561
+36666238656236666661343739623131646338306534653033376461303631643664633164613361
+64643732663833666166636164626164303636633335393665653062313663383932316431366662
+62616631393065393033613663643133643637653238333932383435303166616366633231666662
+65363038323563396230396337646463663563356437333936643739313565623235636161363330
+31613432303564393134653561376137656562396239363330643132666663346338626433376434
+31303930363366393438636565663431353832663235396139643135343437643434363731356365
+62376263396230336663356433366262656331653932383833376666366533303966316637636166
+30313039393432326239393738313733373632346232363435373830626462313932323836666630
+31343736313737376361313862383230363465393736356461653464363135633632363464326563
+38656330393639313434303964396433656666643064373564613238653765353664663266323137
+33396164386362633962373662666136343735373463393366643062653062313839663030616537
+34323430353934393566373732653138393665313435373030623466396132393833396537356430
+36663762376432303562653930326437333564333932363463363837336263633933343965333362
+37333862326234663064373764383536663064373333393530313535613431306362316662373662
+61373064326265656139636638643036333932653930666465646230313136626532343530386165
+32373661323366386434623432396231653433313963663835386531366566363435346135353739
+38353263646332613262323635356265616333663639353562386134333662366332656636363731
+33316463626439373238656134353531663465353636343665623663346639316664613436376335
+64393235646130616635653732393435333034306266663931373037366362626234663438623935
+62353131356636356531333064643530336234663664363034646437653466623839313866626164
+34346533366336323831616236363163386132343835646233386333373866653830316330333135
+3133366438626634303239393737353532373435626639333531
diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml
index 255dbebe..d5f38241 100644
--- a/inventory/host_vars/ch-http-proxy.yml
+++ b/inventory/host_vars/ch-http-proxy.yml
@@ -55,7 +55,7 @@ whawty_nginx_sso_logins:
         domain: ".chaos-at-home.org"
         name: __Secure-chaos-at-home-sso
         secure: yes
-        expire: 23h
+        expire: 167h
         keys:
         - name: 2023-11
           ed25519:
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml
index f21bd9b2..cb5bcfed 100644
--- a/inventory/host_vars/ch-mon.yml
+++ b/inventory/host_vars/ch-mon.yml
@@ -53,9 +53,31 @@ lvm_groups:
 
 
 spreadspace_apt_repo_components:
+  - main
   - prometheus
 
 
+whawty_nginx_sso_backends:
+  chaos-at-home:
+    port: 1234
+    login_url: https://login.chaos-at-home.org/login
+
+whawty_nginx_sso_auths:
+  chaos-at-home:
+    config:
+      cookie:
+        name: __Secure-chaos-at-home-sso
+        keys:
+        - name: 2023-11
+          ed25519:
+            public-key: |-
+              -----BEGIN PUBLIC KEY-----
+              MCowBQYDK2VwAyEAawvVwThGnYYBDLjQ0Rs71prAmxQ/tfaPUNZvPWS3Z3U=
+              -----END PUBLIC KEY-----
+      web:
+        listen: 127.0.0.1:1234
+
+
 prometheus_server_storage:
   type: lvm
   vg: mondata
@@ -74,12 +96,12 @@ prometheus_server_alertmanager:
     username: server
     password: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}"
 
-prometheus_server_web_external_url: "http://{{ network.primary.address | ansible.utils.ipaddr('address') }}/prometheus/"
+prometheus_server_web_external_url: "http://mon.chaos-at-home.org/prometheus/"
 
 prometheus_server_auth_users:
   server: "{{ vault_prometheus_server_auth_user_passwords['server'] }}"
   grafana: "{{ vault_prometheus_server_auth_user_passwords['grafana'] }}"
-  admin: "{{ vault_prometheus_server_auth_user_passwords['admin'] }}"
+  proxy: "{{ vault_prometheus_server_auth_user_passwords['proxy'] }}"
 
 prometheus_server_selfscraping_auth:
   username: server
@@ -109,7 +131,7 @@ prometheus_job_multitarget_blackbox__probe:
     target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}"
     module: ssh_banner
   - instance: "https-mon.chaos-at-home.org"
-    target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+    target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/healthz"
     module: http_tls_2xx
 
 prometheus_job_multitarget_ssl__probe:
@@ -143,11 +165,11 @@ prometheus_alertmanager_smtp:
   from: "noreply@chaos-at-home.org"
   require_tls: no
 
-prometheus_alertmanager_web_external_url: "http://{{ network.primary.address | ansible.utils.ipaddr('address') }}/alertmanager/"
+prometheus_alertmanager_web_external_url: "http://mon.chaos-at-home.org/alertmanager/"
 
 prometheus_alertmanager_auth_users:
   server: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}"
-  admin: "{{ vault_prometheus_alertmanager_auth_user_passwords['admin'] }}"
+  proxy: "{{ vault_prometheus_alertmanager_auth_user_passwords['proxy'] }}"
 
 prometheus_alertmanager_route:
   receiver: empty
@@ -168,6 +190,13 @@ prometheus_alertmanager_receivers:
 
 grafana_secret_key: "{{ vault_grafana_secret_key }}"
 
+grafana_config_auth:
+  disable_signout_menu: true
+
+grafana_config_auth_proxy:
+  enabled: true
+  whitelist: 127.0.0.1
+
 grafana_datasources:
  - name: "Prometheus"
    type: "prometheus"
@@ -204,6 +233,7 @@ grafana_dashboards:
 grafana_admin_password: "{{ vault_grafana_admin_password }}"
 
 
+
 monitoring_landingpage_hostnames:
   - "mon.chaos-at-home.org"
 monitoring_landingpage_title: "chaos@home Monitoring Host"
@@ -239,3 +269,21 @@ monitoring_landingpage_tls:
       not_before: +0h
       not_after: +365d
       renew_margin: +70d
+
+monitoring_landingpage_vhost_extra_directives: |
+  include snippets/whawty-sso-chaos-at-home.conf;
+
+  location = /healthz {
+     auth_request off;
+     return 200;
+  }
+
+monitoring_landingpage_service_extra_directives:
+  prometheus: |
+    proxy_set_header Authorization "Basic {{ ('proxy:'~prometheus_server_auth_users['proxy']) | b64encode }}";
+  alertmanager: |
+    proxy_set_header Authorization "Basic {{ ('proxy:'~prometheus_alertmanager_auth_users['proxy']) | b64encode }}";
+  grafana: |
+    auth_request_set $username $upstream_http_x_username;
+    proxy_set_header X-WEBAUTH-USER $username;
+    proxy_set_header Authorization "";
diff --git a/roles/monitoring/grafana/defaults/main.yml b/roles/monitoring/grafana/defaults/main.yml
index 0eaeb061..20b886ca 100644
--- a/roles/monitoring/grafana/defaults/main.yml
+++ b/roles/monitoring/grafana/defaults/main.yml
@@ -22,6 +22,13 @@ grafana_config_users:
   allow_sign_up: false
   allow_org_create: false
 
+grafana_config_auth: {}
+#  disable_signout_menu: true
+
+grafana_config_auth_proxy: {}
+#  enabled: true
+#  whitelist: 127.0.0.1
+
 
 grafana_datasources: []
 #  - name: "Prometheus"
diff --git a/roles/monitoring/grafana/tasks/main.yml b/roles/monitoring/grafana/tasks/main.yml
index 1e21ea39..de2857df 100644
--- a/roles/monitoring/grafana/tasks/main.yml
+++ b/roles/monitoring/grafana/tasks/main.yml
@@ -68,6 +68,28 @@
     value: "{{ item.value | string }}"
   notify: restart grafana
 
+- name: configure grafana auth
+  loop: "{{ grafana_config_auth | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  ini_file:
+    path: /etc/grafana/grafana.ini
+    section: auth
+    option: "{{ item.key }}"
+    value: "{{ item.value | string }}"
+  notify: restart grafana
+
+- name: configure grafana auth.proxy
+  loop: "{{ grafana_config_auth_proxy | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  ini_file:
+    path: /etc/grafana/grafana.ini
+    section: auth.proxy
+    option: "{{ item.key }}"
+    value: "{{ item.value | string }}"
+  notify: restart grafana
+
 
 - name: install datasources
   copy:
diff --git a/roles/monitoring/landingpage/defaults/main.yml b/roles/monitoring/landingpage/defaults/main.yml
index 8cdaba86..8c093099 100644
--- a/roles/monitoring/landingpage/defaults/main.yml
+++ b/roles/monitoring/landingpage/defaults/main.yml
@@ -11,3 +11,16 @@ monitoring_landingpage_services:
   - prometheus
   - alertmanager
   - grafana
+
+# monitoring_landingpage_vhost_extra_directives: |
+#   include snippets/whawty-sso-example.conf;
+
+monitoring_landingpage_service_extra_directives: {}
+#  prometheus: |
+#    proxy_set_header Authorization "Basic {{ 'user:pass' | b64encode }}";
+#  alertmanager: |
+#    proxy_set_header Authorization "Basic {{ 'user:pass' | b64encode }}";
+#  grafana: |
+#    auth_request_set $username $upstream_http_x_username;
+#    proxy_set_header X-WEBAUTH-USER $username;
+#    proxy_set_header Authorization "";
diff --git a/roles/monitoring/landingpage/tasks/main.yml b/roles/monitoring/landingpage/tasks/main.yml
index 0e24b016..e9512700 100644
--- a/roles/monitoring/landingpage/tasks/main.yml
+++ b/roles/monitoring/landingpage/tasks/main.yml
@@ -13,6 +13,7 @@
   vars:
     monitoring_landingpage_vhost_base:
       name: landingpage
+      mode: "0600"
       template: generic
       hostnames: "{{ monitoring_landingpage_hostnames }}"
       locations:
@@ -23,18 +24,34 @@
       tls:
         {{ monitoring_landingpage_tls | to_nice_yaml(indent=2) | indent(2) }}
       {% endif %}
+      {% if monitoring_landingpage_vhost_extra_directives is defined %}
+      extra_directives: |
+        {{ monitoring_landingpage_vhost_extra_directives | indent(2) }}
+      {% endif %}
       locations:
       {% if 'prometheus' in monitoring_landingpage_services %}
         '/prometheus/':
           proxy_pass: "http://{{ prometheus_server_web_listen_address | default('127.0.0.1:9090')  }}"
+      {%   if 'prometheus' in monitoring_landingpage_service_extra_directives %}
+          extra_directives: |
+            {{ monitoring_landingpage_service_extra_directives['prometheus'] | indent(6) }}
+      {%   endif %}
       {% endif %}
       {% if 'alertmanager' in monitoring_landingpage_services %}
         '/alertmanager/':
           proxy_pass: "http://{{ prometheus_alertmanager_web_listen_address | default('127.0.0.1:9093') }}"
+      {%   if 'alertmanager' in monitoring_landingpage_service_extra_directives %}
+          extra_directives: |
+            {{ monitoring_landingpage_service_extra_directives['alertmanager'] | indent(6) }}
+      {%   endif %}
       {% endif %}
       {% if 'grafana' in monitoring_landingpage_services %}
         '/grafana/':
           proxy_pass: "http://{{ grafana_config_server.http_addr | default('localhost') }}:{{ grafana_config_server.http_port | default(3000) }}"
+      {%   if 'grafana' in monitoring_landingpage_service_extra_directives %}
+          extra_directives: |
+            {{ monitoring_landingpage_service_extra_directives['grafana'] | indent(6) }}
+      {%   endif %}
       {% endif %}
   set_fact:
     monitoring_landingpage_vhost: "{{ monitoring_landingpage_vhost_base | combine(monitoring_landingpage_vhost_override__yaml | from_yaml, recursive=True) }}"
diff --git a/roles/monitoring/landingpage/templates/index.html.j2 b/roles/monitoring/landingpage/templates/index.html.j2
index 3c6cbe98..769ba1a2 100644
--- a/roles/monitoring/landingpage/templates/index.html.j2
+++ b/roles/monitoring/landingpage/templates/index.html.j2
@@ -15,7 +15,7 @@
      <li><a target='_blank' href='/alertmanager/'>Prometheus Alertmanager</a></li>
 {% endif %}
 {% if 'grafana' in monitoring_landingpage_services %}
-     <li><a target='_blank' href='/grafana/'>Grafana</a></li>
+     <li><a target='_blank' href='/grafana/dashboards'>Grafana</a></li>
 {% endif %}
    </ul>
   </div>