summaryrefslogtreecommitdiff
path: root/inventory/host_vars/ch-apps/node-red.yml
blob: 738d875b61a7506b4faed1d2a4dd767aa74f21ea (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
---
_node_red_zfs_base_:
  pool: storage
  name: node-red

node_red_instances:
  node-red.chaos-at-home.org:
    version: 3.1.10
    port: 1880
    credential_secret: "{{ vault_nodered_credential_secrets['node-red.chaos-at-home.org'] }}"
    mqtt_tls:
      certificate_provider: managed-ca
      certificate_config:
        ca:
          host: ch-iot
          name: mqtt
        cert:
          common_name: node-red.chaos-at-home.org
          extended_key_usage:
          - clientAuth
          extended_key_usage_critical: yes
          create_subject_key_identifier: yes
          not_after: +100w
    storage:
      type: zfs
      parent: "{{ _node_red_zfs_base_ }}"
      name: node-red.chaos-at-home.org
      properties:
        quota: 512M
    publish:
      zone: "{{ apps_publish_zone__chaos_at_home }}"
      hostnames:
      - node-red.chaos-at-home.org
      tls:
        certificate_provider: acmetool
        certificate_config:
          request:
            challenge:
              http-self-test: false
      vhost_extra_directives: |
        include snippets/whawty-sso-chaos-at-home.conf;

        location = /healthz {
           auth_request off;
           return 200;
        }
      location_extra_directives: |
        auth_request_set $username $upstream_http_x_username;
        proxy_set_header X-Username $username;
    custom_image:
      dockerfile: |
        RUN npm install passport-trusted-header
    extra_settings: |
      adminAuth: {
          type: "strategy",
          strategy: {
              name: "trusted-header",
              label: "SSO login",
              autoLogin: true,
              strategy: require("passport-trusted-header").Strategy,
              options: {
                  headers: ['x-username'],
                  verify: function(requestHeaders, done) {
                      var username = requestHeaders['x-username']
                      if(username === '') {
                          done("x-username HTTP-Header is empty", null)
                      }
                      done(null, { username: username });
                  }
              },
          },
          users: [
              { username: "equinox", permissions: ["*"] }
          ],
          default: {
              permissions: "read"
          }
      },