Skip to content

feat(relay): add relive-ui support with authentik SSO #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
teal-bauer wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(relay): add relive-ui support with authentik SSO #36

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions ansible/roles/relay/templates/nginx/relay-consul.ctmpl.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,13 @@ upstream icecast {
keepalive 1000;
}

{% if relay_relive_ui is defined and relay_relive_ui|bool %}
# relive-ui Rails app
upstream relive-ui {
server unix:///var/run/relive-ui/puma.sock fail_timeout=0;
}
{% endif %}

# relay vhost
server {
server_name _;
Expand Down Expand Up @@ -503,4 +510,53 @@ server {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}

{% if relay_relive_ui is defined and relay_relive_ui|bool %}
# authentik outpost for SSO
location /outpost.goauthentik.io {
proxy_pass https://{{ relay_relive_ui_sso_host | default('sso.c3voc.de') }}/outpost.goauthentik.io;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}

location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

# relive-ui Rails app (fallback for unmatched paths)
location / {
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;

# translate headers from the outpost back to the upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

proxy_pass http://relive-ui;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

# Pass authentik headers to upstream
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-uid $authentik_uid;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-entitlements $authentik_entitlements;
}
{% endif %}
}