diff options
| -rw-r--r-- | dan/sk-testvm.yml | 32 | ||||
| -rw-r--r-- | files/chaos-at-home/bind-zones/db.spreadspace | 3 | ||||
| -rw-r--r-- | inventory/host_vars/sk-testvm.yml | 42 | ||||
| -rw-r--r-- | roles/nginx/auth/sso/backend/defaults/main.yml | 37 | ||||
| -rw-r--r-- | roles/nginx/auth/sso/backend/handlers/main.yml | 12 | ||||
| -rw-r--r-- | roles/nginx/auth/sso/backend/tasks/main.yml | 37 | ||||
| -rw-r--r-- | roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2 | 31 | ||||
| -rw-r--r-- | roles/nginx/auth/sso/base/defaults/main.yml | 7 | ||||
| -rw-r--r-- | roles/nginx/auth/sso/base/tasks/main.yml | 6 | ||||
| -rw-r--r-- | roles/nginx/auth/sso/base/templates/nginx.snippet.j2 | 23 |
10 files changed, 226 insertions, 4 deletions
diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml index 33d237cd..88af0dc5 100644 --- a/dan/sk-testvm.yml +++ b/dan/sk-testvm.yml @@ -11,18 +11,20 @@ - name: Payload Setup hosts: sk-testvm vars: - # acme_client: uacme + acme_client: uacme # acme_client: acmetool - # cert_provider: "{{ acme_client }}" + cert_provider: "{{ acme_client }}" # cert_provider: static # cert_provider: selfsigned - cert_provider: ownca + # cert_provider: ownca roles: - role: apt-repo/spreadspace - role: kubernetes/base - role: kubernetes/standalone/base - role: "x509/{{ cert_provider }}/base" - role: nginx/base + - role: nginx/auth/sso/base + - role: nginx/auth/sso/backend - role: nginx/vhost nginx_vhost: default: yes @@ -40,6 +42,22 @@ index: index.html - role: nginx/vhost nginx_vhost: + name: login + template: generic + tls: + certificate_provider: "{{ cert_provider }}" + certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}" + hsts: no + hostnames: + - login.spreadspace.org + - login.spreadspace.com + - login.spreadspace.net + - login.spreadspace.systems + locations: + '/': + proxy_pass: http://127.0.0.1:8082 + - role: nginx/vhost + nginx_vhost: name: test template: generic tls: @@ -51,10 +69,18 @@ - test.spreadspace.com - test.spreadspace.net - test.spreadspace.systems + extra_directives: | + include snippets/sso-spreadspace.conf; locations: '/': + # proxy_pass: http://127.0.0.1:8080 root: /var/www/test index: index.html + extra_directives: | + #auth_request_set $username $upstream_http_x_username; + #proxy_set_header Remote-User $username; + auth_request_set $cookie $upstream_http_set_cookie; + add_header Set-Cookie $cookie; # - role: apps/mumble # mumble_version: v1.4.274-4 # mumble_instance: spreadspace diff --git a/files/chaos-at-home/bind-zones/db.spreadspace b/files/chaos-at-home/bind-zones/db.spreadspace index 9d9a93f7..76495109 100644 --- a/files/chaos-at-home/bind-zones/db.spreadspace +++ b/files/chaos-at-home/bind-zones/db.spreadspace @@ -1,7 +1,7 @@ $TTL 1h @ SOA ns0.chaos-at-home.org. hostmaster ( - 2023051600 + 2023100100 1h 5m 30d @@ -31,6 +31,7 @@ stream 1200 CNAME mimas.chaos-at-home.org. git 1200 A 116.203.212.131 test A 178.63.180.143 +login A 178.63.180.143 rhgit A 212.17.109.195 ; GLT diff --git a/inventory/host_vars/sk-testvm.yml b/inventory/host_vars/sk-testvm.yml index 264e87f6..2650b85b 100644 --- a/inventory/host_vars/sk-testvm.yml +++ b/inventory/host_vars/sk-testvm.yml @@ -39,6 +39,7 @@ external_ip: "{{ network.primary.overlay }}" # spreadspace_apt_repo_components: + - main - container docker_storage: @@ -525,3 +526,44 @@ ownca_cert_config__test: extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +100w + + +nginx_sso_backends: + spreadspace: + auth_url: http://127.0.0.1:8082/auth + base_url: https://login.spreadspace.org + +nginx_sso_backend_configs: + spreadspace: + login: + title: "spreadspace - Login" + default_method: "simple" + hide_mfa_field: true + names: + simple: "Username / Password" + cookie: + domain: ".spreadspace.org" + authentication_key: "WXCBcOAiDrupSxJTqIEKsT5EXBfdXbydFCI7mXDTSTL6dF0KFJKhVgbVgc3nD7G2" + prefix: nginx-sso-spreadspace + listen: + addr: "127.0.0.1" + port: 8082 + audit_log: + targets: + - fd://stdout + events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate'] + headers: ['x-origin-uri'] + trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"] + acl: + rule_sets: + - rules: + - field: "x-host" + regexp: ".*" + allow: ["@_authenticated"] + providers: + simple: + enable_basic_auth: false + users: + admin: "{{ 'admin' | password_hash('bcrypt', ('admin@spreadspace.com/nginx-sso' | bcrypt_salt)) }}" + groups: + admins: ["admin"] diff --git a/roles/nginx/auth/sso/backend/defaults/main.yml b/roles/nginx/auth/sso/backend/defaults/main.yml new file mode 100644 index 00000000..d1928f77 --- /dev/null +++ b/roles/nginx/auth/sso/backend/defaults/main.yml @@ -0,0 +1,37 @@ +--- +# nginx_sso_backend_configs: +# example: +# login: +# title: "example.com - Login" +# default_method: "simple" +# hide_mfa_field: true +# names: +# simple: "Username / Password" +# cookie: +# domain: ".example.com" +# authentication_key: "very-very-secret" +# prefix: nginx-sso-example +# secure: yes +# expire: 3600 +# listen: +# addr: "0.0.0.0" +# port: 8082 +# audit_log: +# targets: +# - fd://stdout +# events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate'] +# headers: ['x-origin-uri'] +# trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"] +# acl: +# rule_sets: +# - rules: +# - field: "x-host" +# regexp: ".*" +# allow: ["@_authenticated"] +# providers: +# simple: +# enable_basic_auth: false +# users: +# admin: "{{ 'admin' | password_hash('bcrypt', ('admin@example.com/nginx-sso' | bcrypt_salt)) }}" +# groups: +# admins: ["admin"] diff --git a/roles/nginx/auth/sso/backend/handlers/main.yml b/roles/nginx/auth/sso/backend/handlers/main.yml new file mode 100644 index 00000000..2209c7bf --- /dev/null +++ b/roles/nginx/auth/sso/backend/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: restart nginx-sso + loop: "{{ nginx_sso_backend_configs | list }}" + service: + name: "nginx-sso@{{ item }}.service" + state: restarted + +- name: reload nginx-sso + loop: "{{ nginx_sso_backend_configs | list }}" + service: + name: "nginx-sso@{{ item }}.service" + state: reloaded diff --git a/roles/nginx/auth/sso/backend/tasks/main.yml b/roles/nginx/auth/sso/backend/tasks/main.yml new file mode 100644 index 00000000..4d555d69 --- /dev/null +++ b/roles/nginx/auth/sso/backend/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- name: install nginx-sso package + apt: + name: nginx-sso + state: present + +- name: create configuration directory + file: + path: /etc/nginx/auth/sso + state: directory + +- name: generate configuration file + loop: "{{ nginx_sso_backend_configs | dict2items }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + # ansible generated + + {{ item.value | to_nice_yaml }} + dest: "/etc/nginx/auth/sso/{{ item.key }}.yml" + mode: 0400 + notify: reload nginx-sso + +- name: generate systemd service unit + template: + src: nginx-sso@.service.j2 + dest: /etc/systemd/system/nginx-sso@.service + notify: restart nginx-sso + +- name: make sure nginx-sso services are enabled and started + loop: "{{ nginx_sso_backend_configs | list }}" + systemd: + name: "nginx-sso@{{ item }}.service" + daemon_reload: yes + state: started + enabled: yes diff --git a/roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2 b/roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2 new file mode 100644 index 00000000..e2464f6f --- /dev/null +++ b/roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description=Nginx SSO authentication daemon (%I) + +[Service] +Restart=on-failure +ExecStart=/usr/bin/nginx-sso --config /etc/nginx/auth/sso/%i.yml --frontend-dir /usr/share/nginx-sso/frontend +ExecReload=/bin/kill -HUP $MAINPID + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/nginx/auth/sso/base/defaults/main.yml b/roles/nginx/auth/sso/base/defaults/main.yml new file mode 100644 index 00000000..4e5d9d4b --- /dev/null +++ b/roles/nginx/auth/sso/base/defaults/main.yml @@ -0,0 +1,7 @@ +--- +# nginx_sso_backends: +# example: +# auth_url: http://127.0.0.1:8082 +# base_url: https://login.example.com +# foo: +# base_url: https://login.foo.bar diff --git a/roles/nginx/auth/sso/base/tasks/main.yml b/roles/nginx/auth/sso/base/tasks/main.yml new file mode 100644 index 00000000..dbae0bd4 --- /dev/null +++ b/roles/nginx/auth/sso/base/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: generate nginx snippets + loop: "{{ nginx_sso_backends | dict2items }}" + template: + src: nginx.snippet.j2 + dest: "/etc/nginx/snippets/sso-{{ item.key }}.conf" diff --git a/roles/nginx/auth/sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/sso/base/templates/nginx.snippet.j2 new file mode 100644 index 00000000..f8558d59 --- /dev/null +++ b/roles/nginx/auth/sso/base/templates/nginx.snippet.j2 @@ -0,0 +1,23 @@ +auth_request /sso-auth; +error_page 401 = @error401; + +location /sso-auth { + internal; + + proxy_pass {{ item.value.auth_url | default(item.value.base_url + '/auth') }}; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Origin-URI $request_uri; + proxy_set_header X-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +} + +location /sso-logout { + return 302 {{ item.value.base_url }}/logout?go=$scheme://$http_host/; +} + +location @error401 { + return 302 {{ item.value.base_url }}/login?go=$scheme://$http_host$request_uri; +} |