From 6baab118515c6fcdd0a8a00360a67553c51f947f Mon Sep 17 00:00:00 2001
From: uumas <gitcommit@uumas.fi>
Date: Sun, 13 Jul 2025 19:09:08 +0300
Subject: [PATCH] service: Support proxy forward auth using OAuth2 Proxy

---
 roles/service/defaults/main.yaml       |  1 +
 roles/service/meta/argument_specs.yaml | 10 ++++++++++
 roles/service/tasks/proxy.yaml         |  5 ++++-
 roles/service/vars/main/general.yaml   |  4 ----
 roles/service/vars/main/proxy.yaml     | 18 ++++++++++++++++++
 5 files changed, 33 insertions(+), 5 deletions(-)
 create mode 100644 roles/service/vars/main/proxy.yaml

diff --git a/roles/service/defaults/main.yaml b/roles/service/defaults/main.yaml
index 5111099..d376840 100644
--- a/roles/service/defaults/main.yaml
+++ b/roles/service/defaults/main.yaml
@@ -5,6 +5,7 @@ service_domains: []
 service_container_http_port: 0
 service_vhost_locations: []
 service_proxy_pass_host_header: true
+service_proxy_auth_type: none
 
 service_container_additional_networks: []
 service_container_user: ""
diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml
index 480664f..0f532ef 100644
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -33,6 +33,16 @@ argument_specs:
         type: bool
         required: false
         default: true
+      service_proxy_auth_type:
+        description: >-
+          Set to oauth2-proxy to use OAuth2 Proxy for vhost authentication.
+          The oauth2-proxy role must be run separately.
+        type: str
+        required: false
+        default: none
+        choices:
+          - none
+          - oauth2-proxy
       service_vhost_locations:
         description: Passed to vhost role as vhost_locations
         type: list
diff --git a/roles/service/tasks/proxy.yaml b/roles/service/tasks/proxy.yaml
index b61e7c6..b031108 100644
--- a/roles/service/tasks/proxy.yaml
+++ b/roles/service/tasks/proxy.yaml
@@ -9,4 +9,7 @@
     vhost_proxy_target_netproto: unix
     vhost_proxy_target_socket: "/run/{{ service_name }}-socat.sock"
     vhost_proxy_headers: "{{ _service_proxy_headers }}"
-    vhost_locations: "{{ service_vhost_locations }}"
+    vhost_proxy_auth_socket: "{{ _service_oauth2_socket }}"
+    vhost_proxy_auth_uri: /oauth2/auth
+    vhost_proxy_auth_unauthorized_redir: "/oauth2/sign_in?rd={scheme}://{host}{uri}"
+    vhost_locations: "{{ _service_vhost_locations }}"
diff --git a/roles/service/vars/main/general.yaml b/roles/service/vars/main/general.yaml
index 93f61d1..e4d764e 100644
--- a/roles/service/vars/main/general.yaml
+++ b/roles/service/vars/main/general.yaml
@@ -15,7 +15,3 @@ _service_container_wants: >-
         | map(attribute='name')
         | map('regex_replace', '$', '.service')
   }}
-
-_service_replacement_host_header:
-  Host: "{{ service_name }}:{{ service_container_http_port }}"
-_service_proxy_headers: "{{ _service_replacement_host_header if not service_proxy_pass_host_header else {} }}"
diff --git a/roles/service/vars/main/proxy.yaml b/roles/service/vars/main/proxy.yaml
new file mode 100644
index 0000000..99a7ee9
--- /dev/null
+++ b/roles/service/vars/main/proxy.yaml
@@ -0,0 +1,18 @@
+---
+_service_replacement_host_header:
+  Host: "{{ service_name }}:{{ service_container_http_port }}"
+_service_proxy_headers: "{{ _service_replacement_host_header if not service_proxy_pass_host_header else {} }}"
+
+_service_oauth2_proxy: "{{ service_proxy_auth_type == 'oauth2-proxy' }}"
+_service_oauth2_socket: >-
+  {{ '/run/oauth2-proxy-socat.sock' if _service_oauth2_proxy else '' }}
+_service_oauth2_proxy_location:
+  path: /oauth2/*
+  proxy_target_socket: "{{ _service_oauth2_socket }}"
+  proxy_auth_socket: ""
+
+_service_vhost_locations: >-
+  {{
+    service_vhost_locations +
+      ([_service_oauth2_proxy_location] if _service_oauth2_proxy else [])
+  }}