11 files changed, 271 insertions, 1 deletions
diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml
index cab4e450..aa2ad3ef 100644
--- a/chaos-at-home/ch-http-proxy.yml
+++ b/chaos-at-home/ch-http-proxy.yml
@@ -13,6 +13,8 @@
   - role: apt-repo/spreadspace
   - role: x509/acmetool/base
   - role: nginx/base
+  - role: nginx/auth/whawty-sso/base
+  - role: nginx/auth/whawty-sso/login
   post_tasks:
   #### web.chaos-at-home.org (default-server)
   - name: create directory for default server
diff --git a/chaos-at-home/host_vars/ch-http-proxy.yml b/chaos-at-home/host_vars/ch-http-proxy.yml
new file mode 100644
index 00000000..37bfb8c6
--- /dev/null
+++ b/chaos-at-home/host_vars/ch-http-proxy.yml
@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.2;AES256;chaos-at-home
+39653130626231373336313238643865323834663239623964316638646436636531303761356163
+3931636530306337306466383333626530663061326563620a366236373962346564386332626239
+33626334663639363731376161666563646135653735343534306639393136623431636165633333
+3233636565326531630a646639366238343466316131653236306561346538343161386136613736
+32336165353566323266613735356138336261613737653064653866313564626339663262303266
+30323535623965613938383930383938663938363738613636643566323234613433393439366434
+64333738333032316538613538356563333562636436636436326133393434373061373661363565
+38326332343038353365616634306366663264383564383762333230623530343061623439626631
+33646339383532616566376633663430383530663166373163613163303564353062316166383730
+35633461333238333532303434326132656339666232313965316264343739393766323938303062
+62616465613230356465656537613131363135663832346530623232626436646531363931633366
+66396261653130623533616530313161333038653334653039623138353337323631613137383664
+35353563376530373131623739393930613365346230343231636632613234613663366438646236
+37356162323938653734313064393330353437653962316565376233326461636162636163353430
+32333939373864653264316263346434616631373830656530313337626232633432633937316234
+64613131396634613962313766373135383030616137633634326637373966633236643463396265
+62313364313365643939363139366361636137613965616632323734633034633964333032656562
+30663963323038323734633761303632633666373736303263386231653538363933623064303039
+65613466323933386263353335636137316162373563613463636663643761633430333138383931
+35393263383230393333303539663534646465333862616533346161386665333864323937353536
+3438
diff --git a/files/chaos-at-home/bind-zones/db.chaos-at-home.org b/files/chaos-at-home/bind-zones/db.chaos-at-home.org
index 000864bf..a27f0c1d 100644
--- a/files/chaos-at-home/bind-zones/db.chaos-at-home.org
+++ b/files/chaos-at-home/bind-zones/db.chaos-at-home.org
@@ -2,7 +2,7 @@ $origin chaos-at-home.org.
 $TTL 1h
 
 @                     SOA  	ns0  hostmaster (
-                                2023051600
+                                2023111200
                                 1h
                                 15m
                                 30d
@@ -59,12 +59,14 @@ magenta.jump          CNAME   magenta.router
 magenta.web           cNAME   magenta.router
 magenta.mail          CNAME   magenta.router
 magenta.passwd        CNAME   magenta.router
+magenta.login         CNAME   magenta.router
 
 router         600    CNAME   magenta.router
 jump           600    CNAME   magenta.jump
 web            600    CNAME   magenta.web
 mail           600    CNAME   magenta.mail
 passwd         600    CNAME   magenta.passwd
+login          600    CNAME   magenta.login
 
 imap                  CNAME   mail
 webmail               CNAME   web
diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml
index 070fbfd6..255dbebe 100644
--- a/inventory/host_vars/ch-http-proxy.yml
+++ b/inventory/host_vars/ch-http-proxy.yml
@@ -34,3 +34,38 @@ network:
 
 
 acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
+
+
+whawty_nginx_sso_backends:
+  chaos-at-home:
+    port: 1234
+    login_url: https://login.chaos-at-home.org/login
+
+whawty_nginx_sso_logins:
+  chaos-at-home:
+    hostname: login.chaos-at-home.org
+    tls:
+      certificate_provider: acmetool
+      certificate_config:
+        request:
+          challenge:
+            http-self-test: false
+    config:
+      cookie:
+        domain: ".chaos-at-home.org"
+        name: __Secure-chaos-at-home-sso
+        secure: yes
+        expire: 23h
+        keys:
+        - name: 2023-11
+          ed25519:
+            private-key: "{{ vault_whawty_nginx_sso_login_keys['chaos-at-home']['2023-11'] }}"
+      auth:
+        static:
+          autoreload: yes
+      web:
+        listen: 127.0.0.1:1234
+        login:
+          title: "chaoSSO login"
+
+whawty_nginx_sso_login_static_credentials__chaos-at-home: "{{ vault_whawty_nginx_sso_login_static_credentials['chaos-at-home'] }}"
diff --git a/roles/nginx/auth/whawty-sso/base/defaults/main.yml b/roles/nginx/auth/whawty-sso/base/defaults/main.yml
new file mode 100644
index 00000000..62c3e318
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+# whawty_nginx_sso_backends:
+#   example:
+#     port: 1234
+#     login_url: https://login.example.com/login
+#   foo:
+#     port: 2345
+#     login_url: https://login.foo.bar/login
diff --git a/roles/nginx/auth/whawty-sso/base/tasks/main.yml b/roles/nginx/auth/whawty-sso/base/tasks/main.yml
new file mode 100644
index 00000000..a410cfeb
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+# TODO: create whawty-nginx-sso user?
+
+- name: install nginx-sso package
+  apt:
+    name: whawty-nginx-sso
+    state: present
+
+- name: generate nginx snippets
+  loop: "{{ whawty_nginx_sso_backends | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  template:
+    src: nginx.snippet.j2
+    dest: "/etc/nginx/snippets/whawty-sso-{{ item.key }}.conf"
+
+- name: install systemd service unit
+  template:
+    src: whawty-nginx-sso@.service.j2
+    dest: /etc/systemd/system/whawty-nginx-sso@.service
diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
new file mode 100644
index 00000000..f8f67c45
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
@@ -0,0 +1,19 @@
+auth_request /auth;
+error_page 401 = @error401;
+
+location /auth {
+    internal;
+
+    proxy_pass 127.0.0.1:{{ item.value.port }}/auth;
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header X-Origin-URI $request_uri;
+    proxy_set_header X-Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location @error401 {
+    return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri;
+}
diff --git a/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2
new file mode 100644
index 00000000..d4a787f3
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2
@@ -0,0 +1,31 @@
+[Unit]
+Description=whawty nginx SSO authentication daemon (%i)
+
+[Service]
+Restart=on-failure
+#Environment="WHAWTY_NGINX_SSO_DEBUG=1"
+ExecStart=/usr/bin/whawty-nginx-sso --config /etc/nginx/auth/whawty-sso/%i.yml run
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
new file mode 100644
index 00000000..c9261474
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
@@ -0,0 +1,61 @@
+---
+# whawty_nginx_sso_logins:
+#   example:
+#     hostname: login.example.com
+#     tls:
+#       certificate_provider: ....
+#       ...
+#     config:
+#       cookie:
+#         domain: ".example.com"
+#         name: __Secure-example-sso
+#         secure: yes
+#         expire: 168h
+#         keys:
+#         - name: 2023-11
+#           ed25519:
+#             private-key: |-
+#               ....
+#       auth:
+#         ldap:
+#           servers:
+#           - ldaps://ldap1.example.com
+#           - ldaps://ldap2.example.com
+#           tls:
+#             start-tls: false
+#             insecure-skip-verify: false
+#             ca-certificates: |-
+#               -----BEGIN CERTIFICATE-----
+#               ...
+#               -----END CERTIFICATE-----
+#       web:
+#         listen: 127.0.0.1:1234
+#         login:
+#           title: "example.com - Login"
+#   foo:
+#     hostname: login.foo.bar
+#     tls:
+#       certificate_provider: ....
+#       ...
+#     config:
+#       cookie:
+#         domain: ".example.com"
+#         name: __Secure-foobar-sso
+#         secure: yes
+#         expire: 24h
+#         keys:
+#         - name: 2023-11
+#           ed25519:
+#             private-key: |-
+#               ....
+#       auth:
+#         static:
+#           autoreload: yes
+#       web:
+#         listen: 127.0.0.1:2345
+#         login:
+#           title: "foobar - Login"
+
+# whawty_nginx_sso_login_static_credentials__foo:
+#   admin: "very-secret"
+#   equinox: "secret"
diff --git a/roles/nginx/auth/whawty-sso/login/handlers/main.yml b/roles/nginx/auth/whawty-sso/login/handlers/main.yml
new file mode 100644
index 00000000..f4bbf308
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/login/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart whawty-nginx-sso
+  loop: "{{ whawty_nginx_sso_logins | list }}"
+  service:
+    name: "whawty-nginx-sso@{{ item }}.service"
+    state: restarted
diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
new file mode 100644
index 00000000..1ab43c8e
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+- name: create configuration directory
+  file:
+    path: /etc/nginx/auth/whawty-sso
+    state: directory
+
+- name: generate htpasswd files for static backends
+  loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.auth.static', 'defined') | selectattr('value.config.auth.static.htpasswd', 'undefined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      {% for user,password in lookup('vars', 'whawty_nginx_sso_login_static_credentials__'~item.key).items() %}
+      {{ user }}:{{ password | password_hash('bcrypt', (user~'@whawty-nginx-sso_'~item.key) | bcrypt_salt) }}
+      {% endfor %}
+    dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd"
+    mode: 0400
+
+
+- name: generate configuration file
+  loop: "{{ whawty_nginx_sso_logins | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      # ansible generated
+      {% set ssoconf = item.value.config %}
+      {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %}
+      {%   set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %}
+      {% endif %}
+      {{ ssoconf | to_nice_yaml(indent=2) }}
+    dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
+    mode: 0400
+  notify: restart whawty-nginx-sso
+
+- name: make sure nginx-sso services are enabled and started
+  loop: "{{ whawty_nginx_sso_logins | list }}"
+  systemd:
+    name: "whawty-nginx-sso@{{ item }}.service"
+    daemon_reload: yes
+    state: started
+    enabled: yes
+
+- name: configure vhost for whawty nginx-sso login
+  loop: "{{ whawty_nginx_sso_logins | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    nginx_vhost:
+      name: "whawty-nginx-sso-{{ item.key }}"
+      template: generic
+      tls:
+        certificate_provider: acmetool
+        certificate_config:
+          request:
+            challenge:
+              http-self-test: false
+      hostnames:
+      - "{{ item.value.hostname }}"
+      locations:
+        '/':
+          proxy_pass: "http://{{ item.value.config.web.listen }}/"
+  include_role:
+    name: nginx/vhost