From 30eff2fb90b93e30b51f98662fbc3bda5e9131d4 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 1 Oct 2023 20:28:56 +0200
Subject: add role for nginx-sso

---
 dan/sk-testvm.yml                                  | 32 +++++++++++++++--
 files/chaos-at-home/bind-zones/db.spreadspace      |  3 +-
 inventory/host_vars/sk-testvm.yml                  | 42 ++++++++++++++++++++++
 roles/nginx/auth/sso/backend/defaults/main.yml     | 37 +++++++++++++++++++
 roles/nginx/auth/sso/backend/handlers/main.yml     | 12 +++++++
 roles/nginx/auth/sso/backend/tasks/main.yml        | 37 +++++++++++++++++++
 .../sso/backend/templates/nginx-sso@.service.j2    | 31 ++++++++++++++++
 roles/nginx/auth/sso/base/defaults/main.yml        |  7 ++++
 roles/nginx/auth/sso/base/tasks/main.yml           |  6 ++++
 .../nginx/auth/sso/base/templates/nginx.snippet.j2 | 23 ++++++++++++
 10 files changed, 226 insertions(+), 4 deletions(-)
 create mode 100644 roles/nginx/auth/sso/backend/defaults/main.yml
 create mode 100644 roles/nginx/auth/sso/backend/handlers/main.yml
 create mode 100644 roles/nginx/auth/sso/backend/tasks/main.yml
 create mode 100644 roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2
 create mode 100644 roles/nginx/auth/sso/base/defaults/main.yml
 create mode 100644 roles/nginx/auth/sso/base/tasks/main.yml
 create mode 100644 roles/nginx/auth/sso/base/templates/nginx.snippet.j2

diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml
index 33d237cd..88af0dc5 100644
--- a/dan/sk-testvm.yml
+++ b/dan/sk-testvm.yml
@@ -11,18 +11,20 @@
 - name: Payload Setup
   hosts: sk-testvm
   vars:
-    # acme_client: uacme
+    acme_client: uacme
     # acme_client: acmetool
-    # cert_provider: "{{ acme_client }}"
+    cert_provider: "{{ acme_client }}"
     # cert_provider: static
     # cert_provider: selfsigned
-    cert_provider: ownca
+    # cert_provider: ownca
   roles:
   - role: apt-repo/spreadspace
   - role: kubernetes/base
   - role: kubernetes/standalone/base
   - role: "x509/{{ cert_provider }}/base"
   - role: nginx/base
+  - role: nginx/auth/sso/base
+  - role: nginx/auth/sso/backend
   - role: nginx/vhost
     nginx_vhost:
       default: yes
@@ -38,6 +40,22 @@
         '/':
           root: /var/www/default
           index: index.html
+  - role: nginx/vhost
+    nginx_vhost:
+      name: login
+      template: generic
+      tls:
+        certificate_provider: "{{ cert_provider }}"
+        certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}"
+        hsts: no
+      hostnames:
+      - login.spreadspace.org
+      - login.spreadspace.com
+      - login.spreadspace.net
+      - login.spreadspace.systems
+      locations:
+        '/':
+          proxy_pass: http://127.0.0.1:8082
   - role: nginx/vhost
     nginx_vhost:
       name: test
@@ -51,10 +69,18 @@
       - test.spreadspace.com
       - test.spreadspace.net
       - test.spreadspace.systems
+      extra_directives: |
+        include snippets/sso-spreadspace.conf;
       locations:
         '/':
+          # proxy_pass: http://127.0.0.1:8080
           root: /var/www/test
           index: index.html
+          extra_directives: |
+            #auth_request_set $username $upstream_http_x_username;
+            #proxy_set_header Remote-User $username;
+            auth_request_set $cookie $upstream_http_set_cookie;
+            add_header Set-Cookie $cookie;
   # - role: apps/mumble
   #   mumble_version: v1.4.274-4
   #   mumble_instance: spreadspace
diff --git a/files/chaos-at-home/bind-zones/db.spreadspace b/files/chaos-at-home/bind-zones/db.spreadspace
index 9d9a93f7..76495109 100644
--- a/files/chaos-at-home/bind-zones/db.spreadspace
+++ b/files/chaos-at-home/bind-zones/db.spreadspace
@@ -1,7 +1,7 @@
 $TTL 1h
 
 @                     SOA     ns0.chaos-at-home.org. hostmaster (
-                                2023051600
+                                2023100100
                                 1h
                                 5m
                                 30d
@@ -31,6 +31,7 @@ stream        1200    CNAME   mimas.chaos-at-home.org.
 git           1200    A       116.203.212.131
 
 test                  A       178.63.180.143
+login                 A       178.63.180.143
 rhgit                 A       212.17.109.195
 
 ; GLT
diff --git a/inventory/host_vars/sk-testvm.yml b/inventory/host_vars/sk-testvm.yml
index 264e87f6..2650b85b 100644
--- a/inventory/host_vars/sk-testvm.yml
+++ b/inventory/host_vars/sk-testvm.yml
@@ -39,6 +39,7 @@ external_ip: "{{ network.primary.overlay }}"
 #
 
 spreadspace_apt_repo_components:
+  - main
   - container
 
 docker_storage:
@@ -525,3 +526,44 @@ ownca_cert_config__test:
     extended_key_usage_critical: yes
     create_subject_key_identifier: yes
     not_after: +100w
+
+
+nginx_sso_backends:
+  spreadspace:
+    auth_url: http://127.0.0.1:8082/auth
+    base_url: https://login.spreadspace.org
+
+nginx_sso_backend_configs:
+  spreadspace:
+    login:
+      title: "spreadspace - Login"
+      default_method: "simple"
+      hide_mfa_field: true
+      names:
+        simple: "Username / Password"
+    cookie:
+      domain: ".spreadspace.org"
+      authentication_key: "WXCBcOAiDrupSxJTqIEKsT5EXBfdXbydFCI7mXDTSTL6dF0KFJKhVgbVgc3nD7G2"
+      prefix: nginx-sso-spreadspace
+    listen:
+      addr: "127.0.0.1"
+      port: 8082
+    audit_log:
+      targets:
+      - fd://stdout
+      events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate']
+      headers: ['x-origin-uri']
+      trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"]
+    acl:
+      rule_sets:
+      - rules:
+        - field: "x-host"
+          regexp: ".*"
+        allow: ["@_authenticated"]
+    providers:
+      simple:
+        enable_basic_auth: false
+        users:
+          admin: "{{ 'admin' | password_hash('bcrypt', ('admin@spreadspace.com/nginx-sso' | bcrypt_salt)) }}"
+        groups:
+          admins: ["admin"]
diff --git a/roles/nginx/auth/sso/backend/defaults/main.yml b/roles/nginx/auth/sso/backend/defaults/main.yml
new file mode 100644
index 00000000..d1928f77
--- /dev/null
+++ b/roles/nginx/auth/sso/backend/defaults/main.yml
@@ -0,0 +1,37 @@
+---
+# nginx_sso_backend_configs:
+#   example:
+#     login:
+#       title: "example.com - Login"
+#       default_method: "simple"
+#       hide_mfa_field: true
+#       names:
+#         simple: "Username / Password"
+#     cookie:
+#       domain: ".example.com"
+#       authentication_key: "very-very-secret"
+#       prefix: nginx-sso-example
+#       secure: yes
+#       expire: 3600
+#     listen:
+#       addr: "0.0.0.0"
+#       port: 8082
+#     audit_log:
+#       targets:
+#       - fd://stdout
+#       events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate']
+#       headers: ['x-origin-uri']
+#       trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"]
+#     acl:
+#       rule_sets:
+#       - rules:
+#         - field: "x-host"
+#           regexp: ".*"
+#         allow: ["@_authenticated"]
+#     providers:
+#       simple:
+#         enable_basic_auth: false
+#         users:
+#           admin: "{{ 'admin' | password_hash('bcrypt', ('admin@example.com/nginx-sso' | bcrypt_salt)) }}"
+#         groups:
+#           admins: ["admin"]
diff --git a/roles/nginx/auth/sso/backend/handlers/main.yml b/roles/nginx/auth/sso/backend/handlers/main.yml
new file mode 100644
index 00000000..2209c7bf
--- /dev/null
+++ b/roles/nginx/auth/sso/backend/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+- name: restart nginx-sso
+  loop: "{{ nginx_sso_backend_configs | list }}"
+  service:
+    name: "nginx-sso@{{ item }}.service"
+    state: restarted
+
+- name: reload nginx-sso
+  loop: "{{ nginx_sso_backend_configs | list }}"
+  service:
+    name: "nginx-sso@{{ item }}.service"
+    state: reloaded
diff --git a/roles/nginx/auth/sso/backend/tasks/main.yml b/roles/nginx/auth/sso/backend/tasks/main.yml
new file mode 100644
index 00000000..4d555d69
--- /dev/null
+++ b/roles/nginx/auth/sso/backend/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: install nginx-sso package
+  apt:
+    name: nginx-sso
+    state: present
+
+- name: create configuration directory
+  file:
+    path: /etc/nginx/auth/sso
+    state: directory
+
+- name: generate configuration file
+  loop: "{{ nginx_sso_backend_configs | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      # ansible generated
+
+      {{ item.value | to_nice_yaml }}
+    dest: "/etc/nginx/auth/sso/{{ item.key }}.yml"
+    mode: 0400
+  notify: reload nginx-sso
+
+- name: generate systemd service unit
+  template:
+    src: nginx-sso@.service.j2
+    dest: /etc/systemd/system/nginx-sso@.service
+  notify: restart nginx-sso
+
+- name: make sure nginx-sso services are enabled and started
+  loop: "{{ nginx_sso_backend_configs | list }}"
+  systemd:
+    name: "nginx-sso@{{ item }}.service"
+    daemon_reload: yes
+    state: started
+    enabled: yes
diff --git a/roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2 b/roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2
new file mode 100644
index 00000000..e2464f6f
--- /dev/null
+++ b/roles/nginx/auth/sso/backend/templates/nginx-sso@.service.j2
@@ -0,0 +1,31 @@
+[Unit]
+Description=Nginx SSO authentication daemon (%I)
+
+[Service]
+Restart=on-failure
+ExecStart=/usr/bin/nginx-sso --config /etc/nginx/auth/sso/%i.yml --frontend-dir /usr/share/nginx-sso/frontend
+ExecReload=/bin/kill -HUP $MAINPID
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/nginx/auth/sso/base/defaults/main.yml b/roles/nginx/auth/sso/base/defaults/main.yml
new file mode 100644
index 00000000..4e5d9d4b
--- /dev/null
+++ b/roles/nginx/auth/sso/base/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+# nginx_sso_backends:
+#   example:
+#     auth_url: http://127.0.0.1:8082
+#     base_url: https://login.example.com
+#   foo:
+#     base_url: https://login.foo.bar
diff --git a/roles/nginx/auth/sso/base/tasks/main.yml b/roles/nginx/auth/sso/base/tasks/main.yml
new file mode 100644
index 00000000..dbae0bd4
--- /dev/null
+++ b/roles/nginx/auth/sso/base/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: generate nginx snippets
+  loop: "{{ nginx_sso_backends | dict2items }}"
+  template:
+    src: nginx.snippet.j2
+    dest: "/etc/nginx/snippets/sso-{{ item.key }}.conf"
diff --git a/roles/nginx/auth/sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/sso/base/templates/nginx.snippet.j2
new file mode 100644
index 00000000..f8558d59
--- /dev/null
+++ b/roles/nginx/auth/sso/base/templates/nginx.snippet.j2
@@ -0,0 +1,23 @@
+auth_request /sso-auth;
+error_page 401 = @error401;
+
+location /sso-auth {
+    internal;
+
+    proxy_pass {{ item.value.auth_url | default(item.value.base_url + '/auth') }};
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header X-Origin-URI $request_uri;
+    proxy_set_header X-Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location /sso-logout {
+    return 302 {{ item.value.base_url }}/logout?go=$scheme://$http_host/;
+}
+
+location @error401 {
+    return 302 {{ item.value.base_url }}/login?go=$scheme://$http_host$request_uri;
+}
-- 
cgit v1.2.3