From 937d3c3fa6290084346a8aa798166c912736fc81 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 13 Nov 2023 18:31:17 +0100
Subject: add role nginx/auth/whawty-sso

---
 roles/nginx/auth/whawty-sso/login/tasks/main.yml | 64 ++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 roles/nginx/auth/whawty-sso/login/tasks/main.yml

(limited to 'roles/nginx/auth/whawty-sso/login/tasks')

diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
new file mode 100644
index 00000000..1ab43c8e
--- /dev/null
+++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+- name: create configuration directory
+  file:
+    path: /etc/nginx/auth/whawty-sso
+    state: directory
+
+- name: generate htpasswd files for static backends
+  loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.auth.static', 'defined') | selectattr('value.config.auth.static.htpasswd', 'undefined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      {% for user,password in lookup('vars', 'whawty_nginx_sso_login_static_credentials__'~item.key).items() %}
+      {{ user }}:{{ password | password_hash('bcrypt', (user~'@whawty-nginx-sso_'~item.key) | bcrypt_salt) }}
+      {% endfor %}
+    dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd"
+    mode: 0400
+
+
+- name: generate configuration file
+  loop: "{{ whawty_nginx_sso_logins | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      # ansible generated
+      {% set ssoconf = item.value.config %}
+      {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %}
+      {%   set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %}
+      {% endif %}
+      {{ ssoconf | to_nice_yaml(indent=2) }}
+    dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
+    mode: 0400
+  notify: restart whawty-nginx-sso
+
+- name: make sure nginx-sso services are enabled and started
+  loop: "{{ whawty_nginx_sso_logins | list }}"
+  systemd:
+    name: "whawty-nginx-sso@{{ item }}.service"
+    daemon_reload: yes
+    state: started
+    enabled: yes
+
+- name: configure vhost for whawty nginx-sso login
+  loop: "{{ whawty_nginx_sso_logins | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    nginx_vhost:
+      name: "whawty-nginx-sso-{{ item.key }}"
+      template: generic
+      tls:
+        certificate_provider: acmetool
+        certificate_config:
+          request:
+            challenge:
+              http-self-test: false
+      hostnames:
+      - "{{ item.value.hostname }}"
+      locations:
+        '/':
+          proxy_pass: "http://{{ item.value.config.web.listen }}/"
+  include_role:
+    name: nginx/vhost
-- 
cgit v1.2.3