2 files changed, 24 insertions, 4 deletions

diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
index 6f7afe04..6e6249e7 100644
--- a/roles/nginx/auth/whawty-sso/login/defaults/main.yml
+++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
@@ -14,17 +14,19 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             private-key: |-
+#             private-key-data: |-
 #               ....
+#         backend:
+#           bolt: {}
 #       auth:
 #         ldap:
 #           servers:
 #           - ldaps://ldap1.example.com
 #           - ldaps://ldap2.example.com
+#           start-tls: false
 #           tls:
-#             start-tls: false
 #             insecure-skip-verify: false
-#             ca-certificates: |-
+#             ca-certificates-data: |-
 #               -----BEGIN CERTIFICATE-----
 #               ...
 #               -----END CERTIFICATE-----
@@ -46,8 +48,11 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             private-key: |-
+#             private-key-data: |-
 #               ....
+#         backend:
+#           bolt:
+#             path: /path/to/db.bolt
 #       auth:
 #         static:
 #           autoreload: yes
@@ -55,6 +60,9 @@
 #         listen: 127.0.0.1:2345
 #         login:
 #           title: "foobar - Login"
+#         revocations:
+#           tokens:
+#           - secret
 
 # whawty_nginx_sso_login_static_credentials__foo:
 #   admin: "very-secret"
diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
index 342c8521..e2267238 100644
--- a/roles/nginx/auth/whawty-sso/login/tasks/main.yml
+++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
@@ -16,6 +16,15 @@
     dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd"
     mode: 0400
 
+- name: make sure store backend directories exist
+  loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.cookie.backend.bolt', 'defined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  file:
+    path: "{{ item.value.config.cookie.backend.bolt.path | default('/var/lib/whawty/nginx-sso/'~item.key~'.bolt') | dirname }}"
+    state: directory
+    mode: 0700
+
 
 - name: generate configuration file
   loop: "{{ whawty_nginx_sso_logins | dict2items }}"
@@ -28,6 +37,9 @@
       {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %}
       {%   set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %}
       {% endif %}
+      {% if 'bolt' in ssoconf.cookie.backend and 'path' not in ssoconf.cookie.backend.bolt %}
+      {%   set _dummy = ssoconf.cookie.backend.bolt.update({'path': '/var/lib/whawty/nginx-sso/'~item.key~'.bolt'}) %}
+      {% endif %}
       {{ ssoconf | to_nice_yaml(indent=2) }}
     dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
     mode: 0400