From cb4e75031756cbf35c5b71c1234efbe89b4ffb15 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Fri, 5 Dec 2025 16:01:35 +0100
Subject: [PATCH] feat(web-opt-rdr-domains): add optional logout proxy
 injection for redirect-only domains

This change introduces the variable 'web_opt_rdr_domains_logout_enabled' allowing redirect-only domains to include the logout-proxy configuration when required (e.g., BlueSky canonical domain deactivation edge cases).
It ensures the logout endpoint is still properly served even when the domain is normally redirected.

Conversation: https://chatgpt.com/share/6932f3a5-3890-800f-a100-a2d36762ffd4
---
 roles/web-app-bluesky/tasks/01_core.yml             |  5 +++--
 roles/web-opt-rdr-domains/defaults/main.yml         |  3 ++-
 .../templates/redirect-domain.conf.j2               | 13 ++++++++++++-
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/roles/web-app-bluesky/tasks/01_core.yml b/roles/web-app-bluesky/tasks/01_core.yml
index 48095904..0d12c4e9 100644
--- a/roles/web-app-bluesky/tasks/01_core.yml
+++ b/roles/web-app-bluesky/tasks/01_core.yml
@@ -52,8 +52,9 @@
 - name: "Redirect deactivated BlueSky Services to {{ BLUESKY_API_DOMAIN }}"
   include_tasks: "utils/load_app.yml"
   vars:
-    load_app_id: web-opt-rdr-domains
-    redirect_domain_mappings: "{{ BLUESKY_REDIRECT_DOMAIN_MAPPINGS }}"
+    load_app_id:                        "web-opt-rdr-domains"
+    redirect_domain_mappings:           "{{ BLUESKY_REDIRECT_DOMAIN_MAPPINGS }}"
+    web_opt_rdr_domains_logout_enabled:: true
 
 - name: "Flush handlers for '{{ role_name }}'"
   meta: flush_handlers
\ No newline at end of file
diff --git a/roles/web-opt-rdr-domains/defaults/main.yml b/roles/web-opt-rdr-domains/defaults/main.yml
index a4cab147..e83695f6 100644
--- a/roles/web-opt-rdr-domains/defaults/main.yml
+++ b/roles/web-opt-rdr-domains/defaults/main.yml
@@ -1 +1,2 @@
-redirect_domain_mappings: []  # Format [{source: target:},...]
\ No newline at end of file
+redirect_domain_mappings:             []      # Format [{source: target:},...]
+web_opt_rdr_domains_logout_enabled::  false   # Activate headers for logout
\ No newline at end of file
diff --git a/roles/web-opt-rdr-domains/templates/redirect-domain.conf.j2 b/roles/web-opt-rdr-domains/templates/redirect-domain.conf.j2
index 3b358bba..edec4ab8 100644
--- a/roles/web-opt-rdr-domains/templates/redirect-domain.conf.j2
+++ b/roles/web-opt-rdr-domains/templates/redirect-domain.conf.j2
@@ -1,6 +1,17 @@
 server {
+
+
   server_name {{ domain }};
   {% include 'roles/sys-svc-letsencrypt/templates/ssl_header.j2' %}
 
-  return 301 https://{{ target }}$request_uri;
+  {% if web_opt_rdr_domains_logout_enabled: | bool %}
+  {# 
+    Required for edge cases e.g. BlueSky where a canonical domain is deactivated,
+    and set as an alias but interpretated as an logout domain
+  #}
+  {% include 'roles/web-svc-logout/templates/logout-proxy.conf.j2' %}
+  {% endif %}
+  location / {
+    return 301 {{ WEB_PROTOCOL }}://{{ target }}$request_uri;
+  }
 }