finish up kdcproxy

roles/kerberos/kdc/tasks/main.yml

@@ -50,6 +50,19 @@
     shell: /sbin/nologin
     system: true
 
+- name: add nginx to kdcproxy group
+  user:
+    name: nginx
+    groups: kdcproxy
+
+- name: create kdcproxy config
+  template:
+    dest: /etc/kdcproxy.conf
+    src: kdcproxy.conf.j2
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+
 - name: create kdcproxy socket file
   copy:
     dest: /lib/systemd/system/gunicorn@kdcproxy.socket
@@ -64,3 +77,12 @@
     name: gunicorn@kdcproxy.socket
     enabled: true
     state: started
+
+- name: create kdcproxy config for nginx
+  template:
+    dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/kdcproxy.conf"
+    src: nginx-kdcproxy.conf.j2
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart nginx

roles/kerberos/kdc/templates/kdcproxy.conf.j2

@@ -0,0 +1,4 @@
+[global]
+
+[{{ kerberos_realm }}]
+kerberos = kerberos+tcp://localhost

roles/kerberos/kdc/templates/nginx-kdcproxy.conf.j2

@@ -0,0 +1,3 @@
+location /KdcProxy {
+    proxy_pass http://unix:/run/gunicorn/gunicorn-kdcproxy.sock:/KdcProxy;
+}