diff options
Diffstat (limited to 'roles')
7 files changed, 209 insertions, 0 deletions
diff --git a/roles/nginx/auth/whawty-sso/base/defaults/main.yml b/roles/nginx/auth/whawty-sso/base/defaults/main.yml new file mode 100644 index 00000000..62c3e318 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/defaults/main.yml @@ -0,0 +1,8 @@ +--- +# whawty_nginx_sso_backends: +# example: +# port: 1234 +# login_url: https://login.example.com/login +# foo: +# port: 2345 +# login_url: https://login.foo.bar/login diff --git a/roles/nginx/auth/whawty-sso/base/tasks/main.yml b/roles/nginx/auth/whawty-sso/base/tasks/main.yml new file mode 100644 index 00000000..a410cfeb --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/tasks/main.yml @@ -0,0 +1,20 @@ +--- +# TODO: create whawty-nginx-sso user? + +- name: install nginx-sso package + apt: + name: whawty-nginx-sso + state: present + +- name: generate nginx snippets + loop: "{{ whawty_nginx_sso_backends | dict2items }}" + loop_control: + label: "{{ item.key }}" + template: + src: nginx.snippet.j2 + dest: "/etc/nginx/snippets/whawty-sso-{{ item.key }}.conf" + +- name: install systemd service unit + template: + src: whawty-nginx-sso@.service.j2 + dest: /etc/systemd/system/whawty-nginx-sso@.service diff --git a/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 new file mode 100644 index 00000000..f8f67c45 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/templates/nginx.snippet.j2 @@ -0,0 +1,19 @@ +auth_request /auth; +error_page 401 = @error401; + +location /auth { + internal; + + proxy_pass 127.0.0.1:{{ item.value.port }}/auth; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Origin-URI $request_uri; + proxy_set_header X-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +} + +location @error401 { + return 302 {{ item.value.login_url }}?redir=$scheme://$http_host$request_uri; +} diff --git a/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 new file mode 100644 index 00000000..d4a787f3 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/base/templates/whawty-nginx-sso@.service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description=whawty nginx SSO authentication daemon (%i) + +[Service] +Restart=on-failure +#Environment="WHAWTY_NGINX_SSO_DEBUG=1" +ExecStart=/usr/bin/whawty-nginx-sso --config /etc/nginx/auth/whawty-sso/%i.yml run + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml new file mode 100644 index 00000000..c9261474 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml @@ -0,0 +1,61 @@ +--- +# whawty_nginx_sso_logins: +# example: +# hostname: login.example.com +# tls: +# certificate_provider: .... +# ... +# config: +# cookie: +# domain: ".example.com" +# name: __Secure-example-sso +# secure: yes +# expire: 168h +# keys: +# - name: 2023-11 +# ed25519: +# private-key: |- +# .... +# auth: +# ldap: +# servers: +# - ldaps://ldap1.example.com +# - ldaps://ldap2.example.com +# tls: +# start-tls: false +# insecure-skip-verify: false +# ca-certificates: |- +# -----BEGIN CERTIFICATE----- +# ... +# -----END CERTIFICATE----- +# web: +# listen: 127.0.0.1:1234 +# login: +# title: "example.com - Login" +# foo: +# hostname: login.foo.bar +# tls: +# certificate_provider: .... +# ... +# config: +# cookie: +# domain: ".example.com" +# name: __Secure-foobar-sso +# secure: yes +# expire: 24h +# keys: +# - name: 2023-11 +# ed25519: +# private-key: |- +# .... +# auth: +# static: +# autoreload: yes +# web: +# listen: 127.0.0.1:2345 +# login: +# title: "foobar - Login" + +# whawty_nginx_sso_login_static_credentials__foo: +# admin: "very-secret" +# equinox: "secret" diff --git a/roles/nginx/auth/whawty-sso/login/handlers/main.yml b/roles/nginx/auth/whawty-sso/login/handlers/main.yml new file mode 100644 index 00000000..f4bbf308 --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart whawty-nginx-sso + loop: "{{ whawty_nginx_sso_logins | list }}" + service: + name: "whawty-nginx-sso@{{ item }}.service" + state: restarted diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml new file mode 100644 index 00000000..1ab43c8e --- /dev/null +++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml @@ -0,0 +1,64 @@ +--- +- name: create configuration directory + file: + path: /etc/nginx/auth/whawty-sso + state: directory + +- name: generate htpasswd files for static backends + loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.auth.static', 'defined') | selectattr('value.config.auth.static.htpasswd', 'undefined') }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + {% for user,password in lookup('vars', 'whawty_nginx_sso_login_static_credentials__'~item.key).items() %} + {{ user }}:{{ password | password_hash('bcrypt', (user~'@whawty-nginx-sso_'~item.key) | bcrypt_salt) }} + {% endfor %} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd" + mode: 0400 + + +- name: generate configuration file + loop: "{{ whawty_nginx_sso_logins | dict2items }}" + loop_control: + label: "{{ item.key }}" + copy: + content: | + # ansible generated + {% set ssoconf = item.value.config %} + {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %} + {% set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %} + {% endif %} + {{ ssoconf | to_nice_yaml(indent=2) }} + dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml" + mode: 0400 + notify: restart whawty-nginx-sso + +- name: make sure nginx-sso services are enabled and started + loop: "{{ whawty_nginx_sso_logins | list }}" + systemd: + name: "whawty-nginx-sso@{{ item }}.service" + daemon_reload: yes + state: started + enabled: yes + +- name: configure vhost for whawty nginx-sso login + loop: "{{ whawty_nginx_sso_logins | dict2items }}" + loop_control: + label: "{{ item.key }}" + vars: + nginx_vhost: + name: "whawty-nginx-sso-{{ item.key }}" + template: generic + tls: + certificate_provider: acmetool + certificate_config: + request: + challenge: + http-self-test: false + hostnames: + - "{{ item.value.hostname }}" + locations: + '/': + proxy_pass: "http://{{ item.value.config.web.listen }}/" + include_role: + name: nginx/vhost |