summaryrefslogtreecommitdiff
path: root/roles/nginx/auth
diff options
context:
space:
mode:
Diffstat (limited to 'roles/nginx/auth')
-rw-r--r--roles/nginx/auth/whawty-sso/base/defaults/main.yml8
-rw-r--r--roles/nginx/auth/whawty-sso/base/tasks/main.yml20
-rw-r--r--roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j219
-rw-r--r--roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j231
-rw-r--r--roles/nginx/auth/whawty-sso/login/defaults/main.yml61
-rw-r--r--roles/nginx/auth/whawty-sso/login/handlers/main.yml6
-rw-r--r--roles/nginx/auth/whawty-sso/login/tasks/main.yml64
7 files changed, 209 insertions, 0 deletions
diff --git a/roles/nginx/auth/whawty-sso/base/defaults/main.yml b/roles/nginx/auth/whawty-sso/base/defaults/main.yml
new file mode 100644
index 00000000..62c3e318
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+# whawty_nginx_sso_backends:
+# example:
+# port: 1234
+# login_url: https://login.example.com/login
+# foo:
+# port: 2345
+# login_url: https://login.foo.bar/login
diff --git a/roles/nginx/auth/whawty-sso/base/tasks/main.yml b/roles/nginx/auth/whawty-sso/base/tasks/main.yml
new file mode 100644
index 00000000..a410cfeb
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+# TODO: create whawty-nginx-sso user?
+
+- name: install nginx-sso package
+ apt:
+ name: whawty-nginx-sso
+ state: present
+
+- name: generate nginx snippets
+ loop: "{{ whawty_nginx_sso_backends | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ template:
+ src: nginx.snippet.j2
+ dest: "/etc/nginx/snippets/whawty-sso-{{ item.key }}.conf"
+
+- name: install systemd service unit
+ template:
+ src: whawty-nginx-sso@.service.j2
+ dest: /etc/systemd/system/whawty-nginx-sso@.service
diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
new file mode 100644
index 00000000..f8f67c45
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2
@@ -0,0 +1,19 @@
+auth_request /auth;
+error_page 401 = @error401;
+
+location /auth {
+ internal;
+
+ proxy_pass 127.0.0.1:{{ item.value.port }}/auth;
+ proxy_pass_request_body off;
+ proxy_set_header Content-Length "";
+ proxy_set_header X-Origin-URI $request_uri;
+ proxy_set_header X-Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location @error401 {
+ return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri;
+}
diff --git a/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2
new file mode 100644
index 00000000..d4a787f3
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2
@@ -0,0 +1,31 @@
+[Unit]
+Description=whawty nginx SSO authentication daemon (%i)
+
+[Service]
+Restart=on-failure
+#Environment="WHAWTY_NGINX_SSO_DEBUG=1"
+ExecStart=/usr/bin/whawty-nginx-sso --config /etc/nginx/auth/whawty-sso/%i.yml run
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
new file mode 100644
index 00000000..c9261474
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
@@ -0,0 +1,61 @@
+---
+# whawty_nginx_sso_logins:
+# example:
+# hostname: login.example.com
+# tls:
+# certificate_provider: ....
+# ...
+# config:
+# cookie:
+# domain: ".example.com"
+# name: __Secure-example-sso
+# secure: yes
+# expire: 168h
+# keys:
+# - name: 2023-11
+# ed25519:
+# private-key: |-
+# ....
+# auth:
+# ldap:
+# servers:
+# - ldaps://ldap1.example.com
+# - ldaps://ldap2.example.com
+# tls:
+# start-tls: false
+# insecure-skip-verify: false
+# ca-certificates: |-
+# -----BEGIN CERTIFICATE-----
+# ...
+# -----END CERTIFICATE-----
+# web:
+# listen: 127.0.0.1:1234
+# login:
+# title: "example.com - Login"
+# foo:
+# hostname: login.foo.bar
+# tls:
+# certificate_provider: ....
+# ...
+# config:
+# cookie:
+# domain: ".example.com"
+# name: __Secure-foobar-sso
+# secure: yes
+# expire: 24h
+# keys:
+# - name: 2023-11
+# ed25519:
+# private-key: |-
+# ....
+# auth:
+# static:
+# autoreload: yes
+# web:
+# listen: 127.0.0.1:2345
+# login:
+# title: "foobar - Login"
+
+# whawty_nginx_sso_login_static_credentials__foo:
+# admin: "very-secret"
+# equinox: "secret"
diff --git a/roles/nginx/auth/whawty-sso/login/handlers/main.yml b/roles/nginx/auth/whawty-sso/login/handlers/main.yml
new file mode 100644
index 00000000..f4bbf308
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/login/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart whawty-nginx-sso
+ loop: "{{ whawty_nginx_sso_logins | list }}"
+ service:
+ name: "whawty-nginx-sso@{{ item }}.service"
+ state: restarted
diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
new file mode 100644
index 00000000..1ab43c8e
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+- name: create configuration directory
+ file:
+ path: /etc/nginx/auth/whawty-sso
+ state: directory
+
+- name: generate htpasswd files for static backends
+ loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.auth.static', 'defined') | selectattr('value.config.auth.static.htpasswd', 'undefined') }}"
+ loop_control:
+ label: "{{ item.key }}"
+ copy:
+ content: |
+ {% for user,password in lookup('vars', 'whawty_nginx_sso_login_static_credentials__'~item.key).items() %}
+ {{ user }}:{{ password | password_hash('bcrypt', (user~'@whawty-nginx-sso_'~item.key) | bcrypt_salt) }}
+ {% endfor %}
+ dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd"
+ mode: 0400
+
+
+- name: generate configuration file
+ loop: "{{ whawty_nginx_sso_logins | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ copy:
+ content: |
+ # ansible generated
+ {% set ssoconf = item.value.config %}
+ {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %}
+ {% set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %}
+ {% endif %}
+ {{ ssoconf | to_nice_yaml(indent=2) }}
+ dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
+ mode: 0400
+ notify: restart whawty-nginx-sso
+
+- name: make sure nginx-sso services are enabled and started
+ loop: "{{ whawty_nginx_sso_logins | list }}"
+ systemd:
+ name: "whawty-nginx-sso@{{ item }}.service"
+ daemon_reload: yes
+ state: started
+ enabled: yes
+
+- name: configure vhost for whawty nginx-sso login
+ loop: "{{ whawty_nginx_sso_logins | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ vars:
+ nginx_vhost:
+ name: "whawty-nginx-sso-{{ item.key }}"
+ template: generic
+ tls:
+ certificate_provider: acmetool
+ certificate_config:
+ request:
+ challenge:
+ http-self-test: false
+ hostnames:
+ - "{{ item.value.hostname }}"
+ locations:
+ '/':
+ proxy_pass: "http://{{ item.value.config.web.listen }}/"
+ include_role:
+ name: nginx/vhost