service: Support proxy forward auth using OAuth2 Proxy

2025-07-13 19:09:08 +03:00
parent 543a34f60d
commit 6baab11851
5 changed files with 33 additions and 5 deletions
--- a/roles/service/defaults/main.yaml
+++ b/roles/service/defaults/main.yaml
@@ -5,6 +5,7 @@ service_domains: []
 service_container_http_port: 0
 service_vhost_locations: []
 service_proxy_pass_host_header: true
+service_proxy_auth_type: none

 service_container_additional_networks: []
 service_container_user: ""
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -33,6 +33,16 @@ argument_specs:
        type: bool
        required: false
        default: true
+      service_proxy_auth_type:
+        description: >-
+          Set to oauth2-proxy to use OAuth2 Proxy for vhost authentication.
+          The oauth2-proxy role must be run separately.
+        type: str
+        required: false
+        default: none
+        choices:
+          - none
+          - oauth2-proxy
      service_vhost_locations:
        description: Passed to vhost role as vhost_locations
        type: list
--- a/roles/service/tasks/proxy.yaml
+++ b/roles/service/tasks/proxy.yaml
@@ -9,4 +9,7 @@
    vhost_proxy_target_netproto: unix
    vhost_proxy_target_socket: "/run/{{ service_name }}-socat.sock"
    vhost_proxy_headers: "{{ _service_proxy_headers }}"
-    vhost_locations: "{{ service_vhost_locations }}"
+    vhost_proxy_auth_socket: "{{ _service_oauth2_socket }}"
+    vhost_proxy_auth_uri: /oauth2/auth
+    vhost_proxy_auth_unauthorized_redir: "/oauth2/sign_in?rd={scheme}://{host}{uri}"
+    vhost_locations: "{{ _service_vhost_locations }}"
--- a/roles/service/vars/main/general.yaml
+++ b/roles/service/vars/main/general.yaml
@@ -15,7 +15,3 @@ _service_container_wants: >-
        | map(attribute='name')
        | map('regex_replace', '$', '.service')
  }}
-
-_service_replacement_host_header:
-  Host: "{{ service_name }}:{{ service_container_http_port }}"
-_service_proxy_headers: "{{ _service_replacement_host_header if not service_proxy_pass_host_header else {} }}"
--- a/roles/service/vars/main/proxy.yaml
+++ b/roles/service/vars/main/proxy.yaml
@@ -0,0 +1,18 @@
+---
+_service_replacement_host_header:
+  Host: "{{ service_name }}:{{ service_container_http_port }}"
+_service_proxy_headers: "{{ _service_replacement_host_header if not service_proxy_pass_host_header else {} }}"
+
+_service_oauth2_proxy: "{{ service_proxy_auth_type == 'oauth2-proxy' }}"
+_service_oauth2_socket: >-
+  {{ '/run/oauth2-proxy-socat.sock' if _service_oauth2_proxy else '' }}
+_service_oauth2_proxy_location:
+  path: /oauth2/*
+  proxy_target_socket: "{{ _service_oauth2_socket }}"
+  proxy_auth_socket: ""
+
+_service_vhost_locations: >-
+  {{
+    service_vhost_locations +
+      ([_service_oauth2_proxy_location] if _service_oauth2_proxy else [])
+  }}