summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--dan/sk-testvm.yml32
-rw-r--r--files/chaos-at-home/bind-zones/db.spreadspace3
-rw-r--r--inventory/host_vars/sk-testvm.yml42
-rw-r--r--roles/nginx/auth/sso/backend/defaults/main.yml37
-rw-r--r--roles/nginx/auth/sso/backend/handlers/main.yml12
-rw-r--r--roles/nginx/auth/sso/backend/tasks/main.yml37
-rw-r--r--roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j231
-rw-r--r--roles/nginx/auth/sso/base/defaults/main.yml7
-rw-r--r--roles/nginx/auth/sso/base/tasks/main.yml6
-rw-r--r--roles/nginx/auth/sso/base/templates/nginx.snippet.j223
10 files changed, 226 insertions, 4 deletions
diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml
index 33d237cd..88af0dc5 100644
--- a/dan/sk-testvm.yml
+++ b/dan/sk-testvm.yml
@@ -11,18 +11,20 @@
- name: Payload Setup
hosts: sk-testvm
vars:
- # acme_client: uacme
+ acme_client: uacme
# acme_client: acmetool
- # cert_provider: "{{ acme_client }}"
+ cert_provider: "{{ acme_client }}"
# cert_provider: static
# cert_provider: selfsigned
- cert_provider: ownca
+ # cert_provider: ownca
roles:
- role: apt-repo/spreadspace
- role: kubernetes/base
- role: kubernetes/standalone/base
- role: "x509/{{ cert_provider }}/base"
- role: nginx/base
+ - role: nginx/auth/sso/base
+ - role: nginx/auth/sso/backend
- role: nginx/vhost
nginx_vhost:
default: yes
@@ -40,6 +42,22 @@
index: index.html
- role: nginx/vhost
nginx_vhost:
+ name: login
+ template: generic
+ tls:
+ certificate_provider: "{{ cert_provider }}"
+ certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}"
+ hsts: no
+ hostnames:
+ - login.spreadspace.org
+ - login.spreadspace.com
+ - login.spreadspace.net
+ - login.spreadspace.systems
+ locations:
+ '/':
+ proxy_pass: http://127.0.0.1:8082
+ - role: nginx/vhost
+ nginx_vhost:
name: test
template: generic
tls:
@@ -51,10 +69,18 @@
- test.spreadspace.com
- test.spreadspace.net
- test.spreadspace.systems
+ extra_directives: |
+ include snippets/sso-spreadspace.conf;
locations:
'/':
+ # proxy_pass: http://127.0.0.1:8080
root: /var/www/test
index: index.html
+ extra_directives: |
+ #auth_request_set $username $upstream_http_x_username;
+ #proxy_set_header Remote-User $username;
+ auth_request_set $cookie $upstream_http_set_cookie;
+ add_header Set-Cookie $cookie;
# - role: apps/mumble
# mumble_version: v1.4.274-4
# mumble_instance: spreadspace
diff --git a/files/chaos-at-home/bind-zones/db.spreadspace b/files/chaos-at-home/bind-zones/db.spreadspace
index 9d9a93f7..76495109 100644
--- a/files/chaos-at-home/bind-zones/db.spreadspace
+++ b/files/chaos-at-home/bind-zones/db.spreadspace
@@ -1,7 +1,7 @@
$TTL 1h
@ SOA ns0.chaos-at-home.org. hostmaster (
- 2023051600
+ 2023100100
1h
5m
30d
@@ -31,6 +31,7 @@ stream 1200 CNAME mimas.chaos-at-home.org.
git 1200 A 116.203.212.131
test A 178.63.180.143
+login A 178.63.180.143
rhgit A 212.17.109.195
; GLT
diff --git a/inventory/host_vars/sk-testvm.yml b/inventory/host_vars/sk-testvm.yml
index 264e87f6..2650b85b 100644
--- a/inventory/host_vars/sk-testvm.yml
+++ b/inventory/host_vars/sk-testvm.yml
@@ -39,6 +39,7 @@ external_ip: "{{ network.primary.overlay }}"
#
spreadspace_apt_repo_components:
+ - main
- container
docker_storage:
@@ -525,3 +526,44 @@ ownca_cert_config__test:
extended_key_usage_critical: yes
create_subject_key_identifier: yes
not_after: +100w
+
+
+nginx_sso_backends:
+ spreadspace:
+ auth_url: http://127.0.0.1:8082/auth
+ base_url: https://login.spreadspace.org
+
+nginx_sso_backend_configs:
+ spreadspace:
+ login:
+ title: "spreadspace - Login"
+ default_method: "simple"
+ hide_mfa_field: true
+ names:
+ simple: "Username / Password"
+ cookie:
+ domain: ".spreadspace.org"
+ authentication_key: "WXCBcOAiDrupSxJTqIEKsT5EXBfdXbydFCI7mXDTSTL6dF0KFJKhVgbVgc3nD7G2"
+ prefix: nginx-sso-spreadspace
+ listen:
+ addr: "127.0.0.1"
+ port: 8082
+ audit_log:
+ targets:
+ - fd://stdout
+ events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate']
+ headers: ['x-origin-uri']
+ trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"]
+ acl:
+ rule_sets:
+ - rules:
+ - field: "x-host"
+ regexp: ".*"
+ allow: ["@_authenticated"]
+ providers:
+ simple:
+ enable_basic_auth: false
+ users:
+ admin: "{{ 'admin' | password_hash('bcrypt', ('admin@spreadspace.com/nginx-sso' | bcrypt_salt)) }}"
+ groups:
+ admins: ["admin"]
diff --git a/roles/nginx/auth/sso/backend/defaults/main.yml b/roles/nginx/auth/sso/backend/defaults/main.yml
new file mode 100644
index 00000000..d1928f77
--- /dev/null
+++ b/roles/nginx/auth/sso/backend/defaults/main.yml
@@ -0,0 +1,37 @@
+---
+# nginx_sso_backend_configs:
+# example:
+# login:
+# title: "example.com - Login"
+# default_method: "simple"
+# hide_mfa_field: true
+# names:
+# simple: "Username / Password"
+# cookie:
+# domain: ".example.com"
+# authentication_key: "very-very-secret"
+# prefix: nginx-sso-example
+# secure: yes
+# expire: 3600
+# listen:
+# addr: "0.0.0.0"
+# port: 8082
+# audit_log:
+# targets:
+# - fd://stdout
+# events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate']
+# headers: ['x-origin-uri']
+# trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"]
+# acl:
+# rule_sets:
+# - rules:
+# - field: "x-host"
+# regexp: ".*"
+# allow: ["@_authenticated"]
+# providers:
+# simple:
+# enable_basic_auth: false
+# users:
+# admin: "{{ 'admin' | password_hash('bcrypt', ('admin@example.com/nginx-sso' | bcrypt_salt)) }}"
+# groups:
+# admins: ["admin"]
diff --git a/roles/nginx/auth/sso/backend/handlers/main.yml b/roles/nginx/auth/sso/backend/handlers/main.yml
new file mode 100644
index 00000000..2209c7bf
--- /dev/null
+++ b/roles/nginx/auth/sso/backend/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+- name: restart nginx-sso
+ loop: "{{ nginx_sso_backend_configs | list }}"
+ service:
+ name: "nginx-sso@{{ item }}.service"
+ state: restarted
+
+- name: reload nginx-sso
+ loop: "{{ nginx_sso_backend_configs | list }}"
+ service:
+ name: "nginx-sso@{{ item }}.service"
+ state: reloaded
diff --git a/roles/nginx/auth/sso/backend/tasks/main.yml b/roles/nginx/auth/sso/backend/tasks/main.yml
new file mode 100644
index 00000000..4d555d69
--- /dev/null
+++ b/roles/nginx/auth/sso/backend/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: install nginx-sso package
+ apt:
+ name: nginx-sso
+ state: present
+
+- name: create configuration directory
+ file:
+ path: /etc/nginx/auth/sso
+ state: directory
+
+- name: generate configuration file
+ loop: "{{ nginx_sso_backend_configs | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ copy:
+ content: |
+ # ansible generated
+
+ {{ item.value | to_nice_yaml }}
+ dest: "/etc/nginx/auth/sso/{{ item.key }}.yml"
+ mode: 0400
+ notify: reload nginx-sso
+
+- name: generate systemd service unit
+ template:
+ src: nginx-sso@.service.j2
+ dest: /etc/systemd/system/nginx-sso@.service
+ notify: restart nginx-sso
+
+- name: make sure nginx-sso services are enabled and started
+ loop: "{{ nginx_sso_backend_configs | list }}"
+ systemd:
+ name: "nginx-sso@{{ item }}.service"
+ daemon_reload: yes
+ state: started
+ enabled: yes
diff --git a/roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2 b/roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2
new file mode 100644
index 00000000..e2464f6f
--- /dev/null
+++ b/roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2
@@ -0,0 +1,31 @@
+[Unit]
+Description=Nginx SSO authentication daemon (%I)
+
+[Service]
+Restart=on-failure
+ExecStart=/usr/bin/nginx-sso --config /etc/nginx/auth/sso/%i.yml --frontend-dir /usr/share/nginx-sso/frontend
+ExecReload=/bin/kill -HUP $MAINPID
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/nginx/auth/sso/base/defaults/main.yml b/roles/nginx/auth/sso/base/defaults/main.yml
new file mode 100644
index 00000000..4e5d9d4b
--- /dev/null
+++ b/roles/nginx/auth/sso/base/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+# nginx_sso_backends:
+# example:
+# auth_url: http://127.0.0.1:8082
+# base_url: https://login.example.com
+# foo:
+# base_url: https://login.foo.bar
diff --git a/roles/nginx/auth/sso/base/tasks/main.yml b/roles/nginx/auth/sso/base/tasks/main.yml
new file mode 100644
index 00000000..dbae0bd4
--- /dev/null
+++ b/roles/nginx/auth/sso/base/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: generate nginx snippets
+ loop: "{{ nginx_sso_backends | dict2items }}"
+ template:
+ src: nginx.snippet.j2
+ dest: "/etc/nginx/snippets/sso-{{ item.key }}.conf"
diff --git a/roles/nginx/auth/sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/sso/base/templates/nginx.snippet.j2
new file mode 100644
index 00000000..f8558d59
--- /dev/null
+++ b/roles/nginx/auth/sso/base/templates/nginx.snippet.j2
@@ -0,0 +1,23 @@
+auth_request /sso-auth;
+error_page 401 = @error401;
+
+location /sso-auth {
+ internal;
+
+ proxy_pass {{ item.value.auth_url | default(item.value.base_url + '/auth') }};
+ proxy_pass_request_body off;
+ proxy_set_header Content-Length "";
+ proxy_set_header X-Origin-URI $request_uri;
+ proxy_set_header X-Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location /sso-logout {
+ return 302 {{ item.value.base_url }}/logout?go=$scheme://$http_host/;
+}
+
+location @error401 {
+ return 302 {{ item.value.base_url }}/login?go=$scheme://$http_host$request_uri;
+}