From c51bc2b05c810db3a4c42353b97799733709106c Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 28 Dec 2023 03:43:54 +0100
Subject: apps/node-red: 80% done but still (WIP)

---
 .../appspublishzone-chaos-at-home/vars.yml         |  1 +
 inventory/host_vars/ch-apps/node-red.yml           | 50 ++++++++++++++++++++++
 2 files changed, 51 insertions(+)

(limited to 'inventory')

diff --git a/inventory/group_vars/appspublishzone-chaos-at-home/vars.yml b/inventory/group_vars/appspublishzone-chaos-at-home/vars.yml
index 761b3937..03209554 100644
--- a/inventory/group_vars/appspublishzone-chaos-at-home/vars.yml
+++ b/inventory/group_vars/appspublishzone-chaos-at-home/vars.yml
@@ -36,6 +36,7 @@ chaos_at_home_apps_publish_ca_cert: |
 
 apps_publish_zone__chaos_at_home:
   name: chaos-at-home
+  publisher: ch-http-proxy
   certificate_provider: static-ca
   certificate_ca_config:
     cert_content: "{{ chaos_at_home_apps_publish_ca_cert }}"
diff --git a/inventory/host_vars/ch-apps/node-red.yml b/inventory/host_vars/ch-apps/node-red.yml
index c84d151c..157043d1 100644
--- a/inventory/host_vars/ch-apps/node-red.yml
+++ b/inventory/host_vars/ch-apps/node-red.yml
@@ -16,3 +16,53 @@ node_red_instances:
           extended_key_usage_critical: yes
           create_subject_key_identifier: yes
           not_after: +100w
+    publish:
+      zone: "{{ apps_publish_zone__chaos_at_home }}"
+      hostnames:
+      - node-red.chaos-at-home.org
+      tls:
+        certificate_provider: acmetool
+        certificate_config:
+          request:
+            challenge:
+              http-self-test: false
+      vhost_extra_directives: |
+        include snippets/whawty-sso-chaos-at-home.conf;
+
+        location = /healthz {
+           auth_request off;
+           return 200;
+        }
+      location_extra_directives: |
+        auth_request_set $username $upstream_http_x_username;
+        proxy_set_header X-Username $username;
+        proxy_set_header Authorization "";
+    custom_image:
+      dockerfile: |
+        RUN npm install passport-trusted-header
+    extra_settings: |
+      adminAuth: {
+        type: "strategy",
+        strategy: {
+            name: "trusted-header",
+            label: "SSO login",
+            autoLogin: true,
+            strategy: require("passport-trusted-header").Strategy,
+            options: {
+                headers: ['x-username'],
+                verify: function(requestHeaders, done) {
+                    var username = requestHeaders['x-username']
+                    if(username === '') {
+                         done("x-username HTTP-Header is empty", null)
+                    }
+                    done(null, { username: username });
+                }
+            },
+        },
+        users: [
+           { username: "equinox", permissions: ["*"] }
+        ],
+        default: {
+           permissions: "read"
+        }
+      }
-- 
cgit v1.2.3