--- _node_red_zfs_base_: pool: storage name: node-red node_red_instances: node-red.chaos-at-home.org: version: 3.1.10 port: 1880 credential_secret: "{{ vault_nodered_credential_secrets['node-red.chaos-at-home.org'] }}" mqtt_tls: certificate_provider: managed-ca certificate_config: ca: host: ch-iot name: mqtt cert: common_name: node-red.chaos-at-home.org extended_key_usage: - clientAuth extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +100w storage: type: zfs parent: "{{ _node_red_zfs_base_ }}" name: node-red.chaos-at-home.org properties: quota: 512M publish: zone: "{{ apps_publish_zone__chaos_at_home }}" hostnames: - node-red.chaos-at-home.org tls: certificate_provider: acmetool certificate_config: request: challenge: http-self-test: false vhost_extra_directives: | include snippets/whawty-sso-chaos-at-home.conf; location = /healthz { auth_request off; return 200; } location_extra_directives: | auth_request_set $username $upstream_http_x_username; proxy_set_header X-Username $username; custom_image: dockerfile: | RUN npm install passport-trusted-header extra_settings: | adminAuth: { type: "strategy", strategy: { name: "trusted-header", label: "SSO login", autoLogin: true, strategy: require("passport-trusted-header").Strategy, options: { headers: ['x-username'], verify: function(requestHeaders, done) { var username = requestHeaders['x-username'] if(username === '') { done("x-username HTTP-Header is empty", null) } done(null, { username: username }); } }, }, users: [ { username: "equinox", permissions: ["*"] } ], default: { permissions: "read" } },