kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implemented universal logout

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-07-22 13:14:06 +02:00
parent 22ff2dc1f3
commit 4b9e7dd3b7
70 changed files with 522 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
View File

@@ -15,6 +15,9 @@ server
{% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %}
{% if applications | get_app_conf(application_id, 'features.universal_logout', False) or domain == primary_domain %}
{% include 'roles/web-svc-logout/templates/logout-proxy.conf.j2' %}
{% endif %}
{% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
{% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', False, {}) %}

1
roles/web-app-akaunting/config/main.yml
View File

@@ -7,6 +7,7 @@ features:
css: true
port-ui-desktop: true
central_database: true
universal_logout: true
domains:
canonical:
- "accounting.{{ primary_domain }}"

5
roles/web-app-attendize/config/main.yml
View File

@@ -4,8 +4,9 @@ image:
features:
matomo: true
css: true
port-ui-desktop: true
port-ui-desktop: true
central_database: true
universal_logout: true
docker:
services:
redis:
@@ -14,4 +15,4 @@ docker:
enabled: true
domains:
canonical:
- "tickets.{{ primary_domain }}"
- "tickets.{{ primary_domain }}"

1
roles/web-app-baserow/config/main.yml
View File

@@ -3,6 +3,7 @@ features:
css: true
port-ui-desktop: true
central_database: true
universal_logout: true
docker:
services:
redis:

5
roles/web-app-bigbluebutton/config/main.yml
View File

@@ -7,11 +7,12 @@ api_suffix: "/bigbluebutton/"
features:
matomo: true
css: true
port-ui-desktop: false # Videos can't open in frame due to iframe restrictions
port-ui-desktop: false # Videos can't open in frame due to iframe restrictions
# @todo fix this
ldap: false
oidc: true
central_database: false
universal_logout: true
domains:
canonical:
- "meet.{{ primary_domain }}"
@@ -21,4 +22,4 @@ csp:
unsafe-inline: true
style-src:
unsafe-inline: true
credentials: {}
credentials: {}

5
roles/web-app-bluesky/config/main.yml
View File

@@ -5,8 +5,9 @@ pds:
features:
matomo: true
css: true
port-ui-desktop: true
port-ui-desktop: true
central_database: true
universal_logout: true
domains:
canonical:
web: "bskyweb.{{ primary_domain }}"
@@ -14,4 +15,4 @@ domains:
docker:
services:
database:
enabled: true
enabled: true

4
roles/web-app-collabora/config/main.yml
View File

@@ -6,4 +6,6 @@ docker:
redis:
enabled: true
database:
enabled: false # May this is wrong. Just set during refactoring
enabled: false # May this is wrong. Just set during refactoring
features:
universal_logout: false # I think collabora is more a service then a app. So no login neccessary Propably it makes sense to rename it ;)

3
roles/web-app-discourse/config/main.yml
View File

@@ -6,6 +6,7 @@ features:
oidc: true
central_database: true
ldap: false # @todo implement and activate
universal_logout: true
csp:
flags:
style-src:
@@ -44,4 +45,4 @@ plugins:
discourse-solved:
enabled: true
discourse-voting:
enabled: true
enabled: true

3
roles/web-app-elk/config/main.yml
View File

@@ -1 +1,2 @@
features:
universal_logout: false # Just deactivated to oppress warnings, elk is anyhow not running

5
roles/web-app-espocrm/config/main.yml
View File

@@ -1,10 +1,11 @@
features:
matomo: true
css: false
port-ui-desktop: true
port-ui-desktop: true
ldap: false
oidc: true
central_database: true
universal_logout: true
csp:
flags:
script-src-elem:
@@ -34,4 +35,4 @@ docker:
version: "latest"
name: "espocrm"
volumes:
data: espocrm_data
data: espocrm_data

5
roles/web-app-friendica/config/main.yml
View File

@@ -3,11 +3,12 @@ images:
features:
matomo: true
css: false # Temporary deactivated
port-ui-desktop: true
port-ui-desktop: true
oidc: false # Implementation doesn't work yet
central_database: true
ldap: true
oauth2: false # No special login side which could be protected, use 2FA of Friendica instead
universal_logout: true
domains:
canonical:
- "social.{{ primary_domain }}"
@@ -29,4 +30,4 @@ addons:
docker:
services:
database:
enabled: true
enabled: true

5
roles/web-app-funkwhale/config/main.yml
View File

@@ -15,10 +15,11 @@ docker:
features:
matomo: true
css: false
port-ui-desktop: true
port-ui-desktop: true
ldap: true
central_database: true
oauth2: false # Doesn't make sense to activate it atm, because login is possible on homepage
universal_logout: true
domains:
canonical:
- "audio.{{ primary_domain }}"
@@ -37,4 +38,4 @@ oauth2_proxy:
port: "80"
acl:
blacklist:
- "/login"
- "/login"

3
roles/web-app-gitea/config/main.yml
View File

@@ -12,6 +12,7 @@ features:
ldap: true
oauth2: true
oidc: false # Deactivated because users aren't auto-created.
universal_logout: true
oauth2_proxy:
application: "application"
port: "<< defaults_applications[web-app-gitea].docker.services.gitea.port >>"
@@ -47,4 +48,4 @@ docker:
port: 3000
name: "gitea"
volumes:
data: "gitea_data"
data: "gitea_data"

5
roles/web-app-gitlab/config/main.yml
View File

@@ -1,8 +1,9 @@
features:
matomo: true
css: true
port-ui-desktop: true
port-ui-desktop: true
central_database: true
universal_logout: true
docker:
services:
redis:
@@ -13,4 +14,4 @@ docker:
image: "gitlab/gitlab-ee"
version: "latest"
credentials:
initial_root_password: "{{ users.administrator.password }}"
initial_root_password: "{{ users.administrator.password }}"

2
roles/web-app-jenkins/config/main.yml
View File

@@ -0,0 +1,2 @@
features:
universal_logout: true # Same like with elk, anyhow not active atm

5
roles/web-app-joomla/config/main.yml
View File

@@ -3,12 +3,13 @@ images:
features:
matomo: true
css: true
port-ui-desktop: true
port-ui-desktop: true
central_database: true
universal_logout: true
domains:
canonical:
- "cms.{{ primary_domain }}"
docker:
services:
database:
enabled: true
enabled: true

4
roles/web-app-keycloak/config/main.yml
View File

@@ -6,6 +6,7 @@ features:
ldap: true
central_database: true
recaptcha: true
universal_logout: true
csp:
flags:
script-src-elem:
@@ -14,6 +15,9 @@ csp:
unsafe-inline: true
style-src:
unsafe-inline: true
whitelist:
frame-src:
- "*" # For frontend channel logout it's necessary that iframes can be loaded
domains:
canonical:
- "auth.{{ primary_domain }}"

4
roles/web-app-keycloak/meta/main.yml
View File

@@ -20,4 +20,6 @@ galaxy_info:
logo:
class: "fa-solid fa-lock"
run_after:
- web-app-matomo
- web-app-matomo
dependencies:
- web-svc-logout

3
roles/web-app-lam/config/main.yml
View File

@@ -8,10 +8,11 @@ oauth2_proxy:
features:
matomo: true
css: true
port-ui-desktop: true
port-ui-desktop: true
ldap: true
central_database: false
oauth2: false
universal_logout: true
csp:
flags:
style-src:

13
roles/web-app-libretranslate/config/main.yml
View File

@@ -5,9 +5,9 @@ docker:
versions: {} # @todo Move under services
services:
redis:
enabled: false # Enable Redis
enabled: false # Enable Redis
database:
enabled: false # Enable the database
enabled: false # Enable the database
features:
matomo: true # Enable Matomo Tracking
css: true # Enable Global CSS Styling
@@ -16,10 +16,11 @@ features:
central_database: false # Enable Central Database Network
recaptcha: false # Enable ReCaptcha
oauth2: false # Enable the OAuth2-Proy
javascript: false # Enables the custom JS in the javascript.js.j2 file
csp:
whitelist: {} # URL's which should be whitelisted
flags: {} # Flags which should be set
javascript: false # Enables the custom JS in the javascript.js.j2 file
universal_logout: false # With this app I assume that it's a service, so should be renamed and logging is unneccessary
csp:
whitelist: {} # URL's which should be whitelisted
flags: {} # Flags which should be set
domains:
canonical: {} # Urls under which the domain should be directly accessible
aliases: [] # Alias redirections to the first element of the canonical domains

3
roles/web-app-listmonk/config/main.yml
View File

@@ -5,6 +5,7 @@ features:
port-ui-desktop: true
central_database: true
oidc: true
universal_logout: true
domains:
canonical:
- "newsletter.{{ primary_domain }}"
@@ -18,4 +19,4 @@ docker:
backup:
no_stop_required: true
name: listmonk
port: 9000
port: 9000

5
roles/web-app-mailu/config/main.yml
View File

@@ -5,9 +5,10 @@ domain: "{{primary_domain}}" # The main domain fr
features:
matomo: true
css: false
port-ui-desktop: true # Deactivated mailu iframe loading until keycloak supports it
port-ui-desktop: true # Deactivated mailu iframe loading until keycloak supports it
oidc: true
central_database: false # Deactivate central database for mailu, I don't know why the database deactivation is necessary
universal_logout: true
domains:
canonical:
- "mail.{{ primary_domain }}"
@@ -32,4 +33,4 @@ docker:
enabled: true
mailu:
version: "2024.06" # Docker Image Version
name: mailu
name: mailu

3
roles/web-app-mastodon/config/main.yml
View File

@@ -6,6 +6,7 @@ features:
port-ui-desktop: true
oidc: true
central_database: true
universal_logout: true
domains:
canonical:
- "microblog.{{ primary_domain }}"
@@ -30,4 +31,4 @@ docker:
version: latest
name: "mastodon-streaming"
volumes:
data: "mastodon_data"
data: "mastodon_data"

3
roles/web-app-matomo/config/main.yml
View File

@@ -8,6 +8,7 @@ features:
port-ui-desktop: false # Didn't work in frame didn't have high priority @todo figure out pcause and solve it
central_database: true
oauth2: false
universal_logout: true
csp:
whitelist:
script-src-elem:
@@ -43,4 +44,4 @@ docker:
redis:
enabled: false
volumes:
data: matomo_data
data: matomo_data

3
roles/web-app-matrix/config/main.yml
View File

@@ -23,6 +23,7 @@ features:
port-ui-desktop: true
oidc: true # Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492
central_database: true
universal_logout: true
csp:
flags:
script-src:
@@ -52,4 +53,4 @@ plugins:
domains:
canonical:
synapse: "matrix.{{ primary_domain }}"
element: "element.{{ primary_domain }}"
element: "element.{{ primary_domain }}"

4
roles/web-app-mediawiki/config/main.yml
View File

@@ -10,4 +10,6 @@ docker:
no_stop_required: true
name: mediawiki
volumes:
data: mediawiki_data
data: mediawiki_data
features:
universal_logout: true

7
roles/web-app-mig/config/main.yml
View File

@@ -8,6 +8,7 @@ features:
matomo: true # activate tracking
css: true # use custom cymais stile
port-ui-desktop: true # Enable in port-ui
universal_logout: false
csp:
whitelist:
script-src-elem:
@@ -24,8 +25,8 @@ csp:
- https://cdn.jsdelivr.net
connect-src:
- https://ka-f.fontawesome.com
#frame-src:
# - "{{ web_protocol }}://*.{{primary_domain}}"
frame-ancestors:
- "*" # No damage if it's used somewhere on other websites, it anyhow looks like art
flags:
style-src:
unsafe-inline: true
@@ -34,4 +35,4 @@ domains:
- "mig.{{ primary_domain }}"
aliases:
- "meta-infinite-graph.{{ primary_domain }}"
build_data: true # Enables the building of the meta data which the graph requiers
build_data: true # Enables the building of the meta data which the graph requiers

3
roles/web-app-mobilizon/config/main.yml
View File

@@ -4,6 +4,7 @@ features:
oidc: true
matomo: true
port-ui-desktop: true
universal_logout: true
csp:
flags:
script-src-elem:
@@ -22,4 +23,4 @@ docker:
mobilizon:
image: "docker.io/framasoft/mobilizon"
name: "mobilizon"
version: ""
version: ""

3
roles/web-app-moodle/config/main.yml
View File

@@ -5,6 +5,7 @@ features:
port-ui-desktop: true
central_database: true
oidc: true
universal_logout: true
csp:
flags:
script-src-elem:
@@ -35,4 +36,4 @@ docker:
volumes:
data: moodle_data
code: moodle_code

5
roles/web-app-mybb/config/main.yml
View File

@@ -2,8 +2,9 @@
features:
matomo: true
css: true
port-ui-desktop: true
port-ui-desktop: true
central_database: true
universal_logout: true
docker:
services:
database:
@@ -13,4 +14,4 @@ docker:
version: "latest"
name: "mybb"
volumes:
data: "mybb_data"
data: "mybb_data"

8
roles/web-app-navigator/config/main.yml
View File

@@ -1,8 +1,8 @@
features:
matomo: true
css: true
port-ui-desktop: true
port-ui-desktop: true
universal_logout: false
csp:
whitelist:
script-src-elem:
@@ -14,6 +14,8 @@ csp:
- https://cdn.jsdelivr.net
font-src:
- https://cdnjs.cloudflare.com
frame-src:
- "{{ web_protocol }}://*.{{primary_domain}}" # Makes sense that all of the website content is available in the navigator
flags:
style-src:
unsafe-inline: true
@@ -23,4 +25,4 @@ csp:
unsafe-inline: true
domains:
canonical:
- "slides.{{ primary_domain }}"
- "slides.{{ primary_domain }}"

3
roles/web-app-nextcloud/config/main.yml
View File

@@ -59,6 +59,7 @@ features:
ldap: true
oidc: true
central_database: true
universal_logout: true
default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes)
legacy_login_mask:
enabled: False # If true, then legacy login mask is shown. Otherwise just SSO
@@ -258,4 +259,4 @@ plugins:
- sociallogin
whiteboard:
# Nextcloud Whiteboard: provides a collaborative drawing and brainstorming tool (https://apps.nextcloud.com/apps/whiteboard)
enabled: true
enabled: true

3
roles/web-app-oauth2-proxy/config/main.yml
View File

@@ -4,4 +4,5 @@ allowed_roles: "admin" # Restrict it default to admin r
features:
matomo: true
css: true
port-ui-desktop: false
port-ui-desktop: false
universal_logout: true

3
roles/web-app-openproject/config/main.yml
View File

@@ -17,6 +17,7 @@ features:
ldap: true
central_database: true
oauth2: true
universal_logout: true
csp:
flags:
script-src-elem:
@@ -51,4 +52,4 @@ docker:
version: "" # If need a specific memcached version you have to define it here, otherwise the version from svc-db-memcached will be used
volumes:
data: "openproject_data"
data: "openproject_data"

3
roles/web-app-peertube/config/main.yml
View File

@@ -4,6 +4,7 @@ features:
port-ui-desktop: true
central_database: true
oidc: true
universal_logout: true
csp:
flags:
script-src-elem:
@@ -37,4 +38,4 @@ docker:
backup:
no_stop_required: true
volumes:
data: peertube_data
data: peertube_data

5
roles/web-app-pgadmin/config/main.yml
View File

@@ -9,9 +9,10 @@ oauth2_proxy:
features:
matomo: true
css: true
port-ui-desktop: true
port-ui-desktop: true
central_database: true
oauth2: true
universal_logout: true
csp:
flags:
style-src:
@@ -24,4 +25,4 @@ csp:
docker:
services:
database:
enabled: true
enabled: true

5
roles/web-app-phpldapadmin/config/main.yml
View File

@@ -7,6 +7,7 @@ oauth2_proxy:
features:
matomo: true
css: true
port-ui-desktop: true
port-ui-desktop: true
ldap: true
oauth2: true
oauth2: true
universal_logout: true

1
roles/web-app-phpmyadmin/config/main.yml
View File

@@ -11,6 +11,7 @@ features:
# it's anyhow not so enduser relevant, so it can be kept like this
central_database: true
oauth2: true
universal_logout: true
csp:
flags:
style-src:

8
roles/web-app-pixelfed/config/main.yml
View File

@@ -2,9 +2,10 @@ titel: "Pictures on {{primary_domain}}"
features:
matomo: true
css: false # Needs to be reactivated
port-ui-desktop: true
port-ui-desktop: true
central_database: true
oidc: true
universal_logout: true
csp:
flags:
script-src:
@@ -15,6 +16,9 @@ csp:
unsafe-eval: true
style-src:
unsafe-inline: true
whitelist:
frame-ancestors:
- "*"
domains:
canonical:
- "picture.{{ primary_domain }}"
@@ -27,7 +31,7 @@ docker:
database:
enabled: true
pixelfed:
image: "zknt/pixelfed"
image: "zknt/pixelfed"
version: "latest"
name: "pixelfed"
backup:

1
roles/web-app-port-ui/config/main.yml
View File

@@ -4,6 +4,7 @@ features:
port-ui-desktop: false
simpleicons: true # Activate Brand Icons for your groups
javascript: true # Necessary for URL sync
universal_logout: false # Doesn't have own user data. Just a frame.
csp:
whitelist:
script-src-elem:

1
roles/web-app-pretix/config/main.yml
View File

@@ -17,6 +17,7 @@ features:
recaptcha: false # Enable ReCaptcha
oauth2: false # Enable the OAuth2-Proy
javascript: false # Enables the custom JS in the javascript.js.j2 file
universal_logout: true
csp:
whitelist: {} # URL's which should be whitelisted
flags: {} # Flags which should be set

2
roles/web-app-roulette-wheel/config/main.yml
View File

@@ -1,3 +1,5 @@
features:
universal_logout: false
domains:
canonical:
- "wheel.{{ primary_domain }}"

3
roles/web-app-snipe-it/config/main.yml
View File

@@ -5,6 +5,7 @@ features:
central_database: true
ldap: true
oauth2: true
universal_logout: true
domains:
canonical:
- "inventory.{{ primary_domain }}"
@@ -38,4 +39,4 @@ docker:
image: "grokability/snipe-it"
volumes:
data: "snipe-it_data"

1
roles/web-app-sphinx/config/main.yml
View File

@@ -2,6 +2,7 @@ features:
matomo: true
css: true
port-ui-desktop: true
universal_logout: false
csp:
flags:
script-src:

5
roles/web-app-syncope/config/main.yml
View File

@@ -1,3 +1,6 @@
features:
universal_logout: false # Role is not enabled until then keep it false
# syncope:
# version: "latest"
# credentials:
@@ -9,4 +12,4 @@
# password: "{{ users.administrator.password }}"
# users:
# administrator:
# username: "{{ users.administrator.username }}"
# username: "{{ users.administrator.username }}"

3
roles/web-app-taiga/config/main.yml
View File

@@ -11,6 +11,7 @@ features:
port-ui-desktop: true
oidc: false
central_database: true
universal_logout: true
docker:
services:
database:
@@ -28,4 +29,4 @@ csp:
unsafe-eval: true
domains:
canonical:
- "kanban.{{ primary_domain }}"
- "kanban.{{ primary_domain }}"

3
roles/web-app-wordpress/config/main.yml
View File

@@ -9,9 +9,10 @@ plugins:
features:
matomo: true
css: false
port-ui-desktop: true
port-ui-desktop: true
oidc: true
central_database: true
universal_logout: true
csp:
flags:
style-src:

3
roles/web-app-xmpp/config/main.yml
View File

@@ -0,0 +1,3 @@
# xmpp is more a service then a app with ui interface. @todo Rename it
features:
universal_logout: false # Reactivated as soon as xmpp is fully implemented

3
roles/web-app-yourls/config/main.yml
View File

@@ -12,6 +12,7 @@ features:
port-ui-desktop: true
central_database: true
oauth2: true
universal_logout: true
domains:
canonical:
- "s.{{ primary_domain }}"
@@ -24,4 +25,4 @@ docker:
yourls:
version: "latest"
name: "yourls"
image: "yourls"
image: "yourls"

35
roles/web-svc-logout/README.md Normal file
View File

@@ -0,0 +1,35 @@
# web-svc-logout
This folder contains an Ansible role to deploy and configure the **Universal Logout Service**.
## Description
This role sets up the universal logout proxy service, a Dockerized Python Flask container that coordinates logout requests across multiple OIDC-integrated applications. It also configures the necessary Nginx proxy snippets and environment variables to enable unified logout flows.
It solves the common challenge of logging a user out from all connected apps with a single action, especially in environments where apps live on multiple subdomains and use OIDC authentication.
## Overview
- Deploys the universal logout service container based on the official [universal-logout GitHub repository](https://github.com/kevinveenbirkenbach/universal-logout).
- Configures the logout domains dynamically based on application inventory and features using custom Ansible filters.
- Provides an Nginx `/logout` proxy configuration snippet that handles CORS and forwards logout requests to the logout service.
- Supplies a user-friendly logout conductor UI that requests logout on all configured domains and shows live status.
- Designed to be used as the Front Channel Logout URL for Keycloak or other OpenID Connect providers, enabling a seamless, service-spanning logout experience.
## Features
- Automatic discovery of logout domains from applications with the `features.universal_logout` flag enabled.
- Centralized logout proxy that clears cookies and sessions across all configured subdomains.
- Status page with live feedback on logout progress for each domain.
- Built-in support for Docker Compose deployment and integration with the CyMaIS ecosystem.
- Includes security-conscious headers (CORS, CSP) for smooth cross-domain logout operations.
## Further Resources
- [Universal Logout GitHub Repository](https://github.com/kevinveenbirkenbach/universal-logout)
- [CyMaIS Project](https://cymais.cloud)
- [Author: Kevin Veen-Birkenbach](https://veen.world)
---
*This role is licensed under the [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl).*

2
roles/web-svc-logout/Todo.md Normal file
View File

@@ -0,0 +1,2 @@
# Todos
- solve loading of domains which are not in group names, but declared via dependencies

0
roles/web-svc-logout/__init__.py Normal file
View File

25
roles/web-svc-logout/config/main.yml Normal file
View File

@@ -0,0 +1,25 @@
features:
matomo: true
css: true
port-ui-desktop: true
javascript: false
domains:
canonical:
- "logout.{{ primary_domain }}"
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
connect-src:
- "{{ web_protocol }}://*.{{ primary_domain }}"
- "{{ web_protocol }}://{{ primary_domain }}"
script-src-elem:
- https://cdn.jsdelivr.net
style-src:
- https://cdn.jsdelivr.net
frame-ancestors:
- "{{ web_protocol }}://<< defaults_applications[web-app-keycloak].domains.canonical[0] >>"

0
roles/web-svc-logout/filter_plugins/__init__.py Normal file
View File

49
roles/web-svc-logout/filter_plugins/domain_filters.py Normal file
View File

@@ -0,0 +1,49 @@
# roles/web-svc-logout/filter_plugins/domain_filters.py
from ansible.errors import AnsibleFilterError
import sys, os
sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..')))
from module_utils.config_utils import get_app_conf
class FilterModule(object):
"""Ansible filter plugin for generating logout domains based on universal_logout feature."""
def filters(self):
return {
'logout_domains': self.logout_domains,
}
def logout_domains(self, applications, group_names):
"""
Return a list of domains for applications where features.universal_logout is true.
:param applications: dict of application configs
:param group_names: list of application IDs to consider
:return: flat list of domain strings
"""
try:
result = []
for app_id, config in applications.items():
if app_id not in group_names:
continue
if not get_app_conf(applications, app_id, 'features.universal_logout', False):
continue
# use canonical domains list if present
domains_entry = config.get('domains', {}).get('canonical', [])
# normalize to a list of strings
if isinstance(domains_entry, dict):
flattened = list(domains_entry.values())
elif isinstance(domains_entry, list):
flattened = domains_entry
else:
flattened = [domains_entry]
result.extend(flattened)
return result
except Exception as e:
raise AnsibleFilterError(f"logout_domains filter error: {e}")

37
roles/web-svc-logout/meta/main.yml Normal file
View File

@@ -0,0 +1,37 @@
galaxy_info:
author: "Kevin VeenBirkenbach"
description: >
Deploys the universal logout service: a Dockerized Python container,
Nginx `/logout` proxies for `*.cymais.cloud`, and the `conductor.html.j2`
template for unified logout orchestration.
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin VeenBirkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Docker
versions:
- latest
- name: Debian
versions:
- buster
- bullseye
- name: Ubuntu
versions:
- focal
- jammy
galaxy_tags:
- ansible
- docker
- flask
- nginx
- cymais
- logout
repository: "https://github.com/kevinveenbirkenbach/universal-logout"
issue_tracker_url: "https://github.com/kevinveenbirkenbach/universal-logout/issues"
documentation: "https://github.com/kevinveenbirkenbach/universal-logout#readme"
logo:
class: "fa fa-sign-out-alt"

18
roles/web-svc-logout/tasks/main.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: "include docker and reverse proxy for '{{ application_id }}'"
include_role:
name: cmp-docker-proxy
when: run_once_web_svc_logout is not defined
- name: Create symbolic link from .env file to repository
file:
src: "{{ docker_compose.files.env }}"
dest: "{{ [ docker_repository_path, '.env' ] | path_join }}"
state: link
when: run_once_web_svc_logout is not defined
- name: run the web svc logout tasks once
set_fact:
run_once_web_svc_logout: true
when: run_once_web_svc_logout is not defined

14
roles/web-svc-logout/templates/docker-compose.yml.j2 Normal file
View File

@@ -0,0 +1,14 @@
{% include 'roles/docker-compose/templates/base.yml.j2' %}
logout:
{% include 'roles/docker-container/templates/base.yml.j2' %}
build:
context: {{ docker_repository_path }}
dockerfile: Dockerfile
image: logout
container_name: logout
ports:
- 127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
{% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %}
{% include 'roles/docker-compose/templates/networks.yml.j2' %}

14
roles/web-svc-logout/templates/env.j2 Normal file
View File

@@ -0,0 +1,14 @@
# Commaseparated list of all subdomains to log out (no spaces)
LOGOUT_DOMAINS={{ logout_domains }}
# Port the logout service will listen on inside the container
LOGOUT_PORT={{ container_port }}
# (Optional) If youre using dockercompose, you can also define:
#HOST_LOGOUT_PORT=8080
#HOST_NGINX_HTTP_PORT=80
#HOST_NGINX_HTTPS_PORT=443
# (For the Nginx Jinja2 proxy snippet)
#LOGOUT_SERVICE_HOST=logout-service
#LOGOUT_SERVICE_PORT=8000

20
roles/web-svc-logout/templates/logout-proxy.conf.j2 Normal file
View File

@@ -0,0 +1,20 @@
location = /logout {
# Proxy to the logout service
proxy_pass http://127.0.0.1:{{ ports.localhost.http['web-svc-logout'] }}/logout;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
# CORS headers allow your central page to call this
add_header 'Access-Control-Allow-Origin' '{{ domains | get_url('web-svc-logout', web_protocol) }}' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept, Authorization' always;
# Handle preflight
if ($request_method = OPTIONS) {
return 204;
}
}

15
roles/web-svc-logout/vars/main.yml Normal file
View File

@@ -0,0 +1,15 @@
application_id: "web-svc-logout"
docker_repository_address: "https://github.com/kevinveenbirkenbach/universal-logout"
docker_pull_git_repository: true
container_port: 8000
# The following line leads to that services which arent listed directly in the inventory,
# but are called over other roles, aren't listed here
# @todo implement the calling of also dependency domains (propably the easiest to write a script which adds all dependencies to group_names)
logout_domains: >-
{{
(
[primary_domain] +
(applications | logout_domains(group_names))
) | unique | join(',')
}}