diff options
Diffstat (limited to 'roles/nginx/auth/whawty-sso/base')
4 files changed, 78 insertions, 0 deletions
diff --git a/roles/nginx/auth/whawty-sso/base/defaults/main.yml b/roles/nginx/auth/whawty-sso/base/defaults/main.yml new file mode 100644 index 00000000..62c3e318 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/defaults/main.yml @@ -0,0 +1,8 @@ +--- +# whawty_nginx_sso_backends: +# example: +# port: 1234 +# login_url: https://login.example.com/login +# foo: +# port: 2345 +# login_url: https://login.foo.bar/login diff --git a/roles/nginx/auth/whawty-sso/base/tasks/main.yml b/roles/nginx/auth/whawty-sso/base/tasks/main.yml new file mode 100644 index 00000000..a410cfeb --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/tasks/main.yml @@ -0,0 +1,20 @@ +--- +# TODO: create whawty-nginx-sso user? + +- name: install nginx-sso package + apt: + name: whawty-nginx-sso + state: present + +- name: generate nginx snippets + loop: "{{ whawty_nginx_sso_backends | dict2items }}" + loop_control: + label: "{{ item.key }}" + template: + src: nginx.snippet.j2 + dest: "/etc/nginx/snippets/whawty-sso-{{ item.key }}.conf" + +- name: install systemd service unit + template: + src: whawty-nginx-sso@.service.j2 + dest: /etc/systemd/system/whawty-nginx-sso@.service diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 new file mode 100644 index 00000000..f8f67c45 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 @@ -0,0 +1,19 @@ +auth_request /auth; +error_page 401 = @error401; + +location /auth { + internal; + + proxy_pass 127.0.0.1:{{ item.value.port }}/auth; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Origin-URI $request_uri; + proxy_set_header X-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +} + +location @error401 { + return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri; +} diff --git a/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 new file mode 100644 index 00000000..d4a787f3 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description=whawty nginx SSO authentication daemon (%i) + +[Service] +Restart=on-failure +#Environment="WHAWTY_NGINX_SSO_DEBUG=1" +ExecStart=/usr/bin/whawty-nginx-sso --config /etc/nginx/auth/whawty-sso/%i.yml run + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |