Refactored server roles for better readability

2025-10-31 18:29:21 +00:00 · 2025-09-01 18:08:35 +02:00
parent b7065837df
commit b02d88adc0
77 changed files with 103 additions and 116 deletions
--- a/roles/sys-svc-proxy/templates/vhost/basic.conf.j2
+++ b/roles/sys-svc-proxy/templates/vhost/basic.conf.j2
@@ -0,0 +1,62 @@
+server
+{
+  server_name {{ domain }};
+  {% include 'roles/sys-svc-proxy/templates/headers/buffers.conf.j2' %}
+  
+  {% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
+    {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
+  {% endif %}
+
+  {% include 'roles/sys-front-inj-all/templates/server.conf.j2'%}
+  
+  {% if proxy_extra_configuration is defined %}
+    {# Additional Domain Specific Configuration #}
+    {{ proxy_extra_configuration }}
+  {% endif %}
+
+  {% include 'roles/sys-svc-letsencrypt/templates/ssl_header.j2' %}
+
+  {% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
+    {% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', False, {}) %}
+
+    {% if acl.blacklist is defined %}
+      {# 1. Expose everything by default, then protect blacklisted paths #}
+      {% set oauth2_proxy_enabled = false %}
+      {% set location = "/" %}
+      {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+
+      {% for loc in acl.blacklist %}
+        {% set oauth2_proxy_enabled = true %}
+        {% set location = loc %}
+        {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+      {% endfor %}
+
+    {% elif acl.whitelist is defined %}
+      {# 2. Protect everything by default, then expose whitelisted paths #}
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = "/" %}
+      {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+
+      {% for loc in acl.whitelist %}
+        {% set oauth2_proxy_enabled = false %}
+        {% set location = loc %}
+        {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+      {% endfor %}
+
+    {% else %}
+      {# 3. OAuth2 enabled but no (or empty) ACL — protect all #}
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = "/" %}
+      {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+    {% endif %}
+
+  {% else %}
+    {# 4. OAuth2 completely disabled — expose all #}
+    {% set oauth2_proxy_enabled = false %}
+    {% set location = "/" %}
+    {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %}
+  {% endif %}
+
+}
+
+