diff --git a/group_vars/all b/group_vars/all index 5193e065..19575c90 100644 --- a/group_vars/all +++ b/group_vars/all @@ -295,11 +295,12 @@ mybb_version: "latest" nextcloud_version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ #### OAuth2 Proxy -oauth2_proxy_active: true +oauth2_configuration_file: "oauth2-proxy-keycloak.cfg" +oauth2_proxy_active: false # Needs to be set true in the roles which use it oauth2_version: "latest" oauth2_proxy_redirect_url: "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. -# oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy. -# oauth2_proxy_upstream_application: # The name of the application which the server redirects to. Needs to be defined in role vars. +# oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy. +# oauth2_proxy_upstream_application_and_port: # The name of the application which the server redirects to. Needs to be defined in role vars. #### Open Project # openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. diff --git a/roles/docker-oauth2-proxy/README.md b/roles/docker-oauth2-proxy/README.md new file mode 100644 index 00000000..68c63ce5 --- /dev/null +++ b/roles/docker-oauth2-proxy/README.md @@ -0,0 +1 @@ +https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment/keycloak/oauth2-proxy-realm.json \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/tasks/main.yml b/roles/docker-oauth2-proxy/tasks/main.yml index adae50be..527a49e6 100644 --- a/roles/docker-oauth2-proxy/tasks/main.yml +++ b/roles/docker-oauth2-proxy/tasks/main.yml @@ -1,6 +1,6 @@ - name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}" - copy: + template: src: oauth2-proxy-keycloak.cfg.j2 - dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg" -# notify: -# - docker compose project setup \ No newline at end of file + dest: "{{docker_compose_instance_directory}}{{oauth2_configuration_file}}" + notify: + - docker compose project setup \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/templates/container.yml.j2 b/roles/docker-oauth2-proxy/templates/container.yml.j2 index b7722a5e..7128a383 100644 --- a/roles/docker-oauth2-proxy/templates/container.yml.j2 +++ b/roles/docker-oauth2-proxy/templates/container.yml.j2 @@ -1,24 +1,11 @@ oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1 - #image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}} + #image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1 + image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}} restart: {{docker_restart_policy}} command: --config /oauth2-proxy.cfg hostname: oauth2-proxy - #environment: - # OAUTH2_PROXY_PROVIDER: "keycloak" # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub). - # OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world" - # OAUTH2_PROXY_CLIENT_ID: "{{domain}}" # The client ID configured in Keycloak for the application. - # OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}" # The client secret configured in Keycloak for the application. - # OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}" # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`. - # #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}" # The allowed email domain(s) for authentication. Example: "example.com". - # OAUTH2_PROXY_REDIRECT_URL: "{{oauth2_proxy_redirect_url}}" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. - # OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:{{http_port}}" # The internal upstream service (your application) that OAuth2-Proxy protects. ports: - # - "127.0.0.1:{{oauth2_proxy_port}}:4180" - - 4180:4180/tcp + - {{oauth2_proxy_port}}:4180/tcp volumes: - - "./oauth2-proxy-keycloak.cfg:/oauth2-proxy.cfg" -{% include 'templates/docker/container/networks.yml.j2' %} -# keycloak: {} -# httpbin: {} -# oauth2-proxy: {} \ No newline at end of file + - "./{{oauth2_configuration_file}}:/oauth2-proxy.cfg" +{% include 'templates/docker/container/networks.yml.j2' %} \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 index ad32ee6c..57ded83b 100644 --- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 +++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -2,14 +2,13 @@ http_address="0.0.0.0:4180" cookie_secret="{{oauth2_proxy_cookie_secret}}" email_domains="{{primary_domain}}" cookie_secure="false" -upstreams="http://proxy:80" -cookie_domains=["{{domain}}", "{{domain_keycloak}}"] # Required so cookie can be read on all subdomains. -whitelist_domains=[".{{primary_domain}}"] # Required to allow redirection back to original requested target. +upstreams="http://{{oauth2_proxy_upstream_application_and_port}}" +cookie_domains=["{{domain}}", "{{domain_keycloak}}"] # Required so cookie can be read on all subdomains. +whitelist_domains=[".{{primary_domain}}"] # Required to allow redirection back to original requested target. # keycloak provider client_secret="{{oauth2_proxy_client_secret}}" client_id="{{domain}}" -#redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback" redirect_url="https://{{domain}}/oauth2/callback" # in this case oauth2-proxy is going to visit diff --git a/roles/docker-openproject/tasks/main.yml b/roles/docker-openproject/tasks/main.yml index f0cd3079..42e39105 100644 --- a/roles/docker-openproject/tasks/main.yml +++ b/roles/docker-openproject/tasks/main.yml @@ -8,13 +8,6 @@ - name: "include tasks update-repository-with-docker-compose.yml" include_tasks: update-repository-with-docker-compose.yml -- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}" - template: - src: roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 - dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg" - notify: - - docker compose project setup - - name: "Transfering Gemfile.plugins to {{docker_compose_instance_directory}}" copy: src: Gemfile.plugins diff --git a/roles/docker-openproject/vars/main.yml b/roles/docker-openproject/vars/main.yml index 6602e309..566d595b 100644 --- a/roles/docker-openproject/vars/main.yml +++ b/roles/docker-openproject/vars/main.yml @@ -1,11 +1,14 @@ -docker_compose_project_name: "openproject" -repository_directory: "{{ path_docker_compose_instances }}{{docker_compose_project_name}}/" -docker_compose_instance_directory: "{{repository_directory}}compose/" -database_password: "{{openproject_database_password}}" -repository_address: "https://github.com/opf/openproject-deploy" -database_type: "postgres" +docker_compose_project_name: "openproject" +repository_directory: "{{ path_docker_compose_instances }}{{docker_compose_project_name}}/" +docker_compose_instance_directory: "{{repository_directory}}compose/" +database_password: "{{openproject_database_password}}" +repository_address: "https://github.com/opf/openproject-deploy" +database_type: "postgres" # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes -dummy_volume: "{{repository_directory}}dummy_volume" -oauth2_proxy_client_secret: "{{openproject_oauth2_proxy_client_secret}}" -oauth2_proxy_cookie_secret: "{{openproject_oauth2_proxy_cookie_secret}}" -#oauth2_proxy_upstream_application: "" \ No newline at end of file +dummy_volume: "{{repository_directory}}dummy_volume" + +# OAuth2 Proxy Configuration +oauth2_proxy_client_secret: "{{openproject_oauth2_proxy_client_secret}}" +oauth2_proxy_cookie_secret: "{{openproject_oauth2_proxy_cookie_secret}}" +oauth2_proxy_upstream_application_and_port: "proxy:80" +oauth2_proxy_active: true \ No newline at end of file diff --git a/tasks/nginx-docker-proxy-domain.yml b/tasks/nginx-docker-proxy-domain.yml index f0a72f20..12a949dc 100644 --- a/tasks/nginx-docker-proxy-domain.yml +++ b/tasks/nginx-docker-proxy-domain.yml @@ -3,3 +3,8 @@ - name: "include task create-domain-conf.yml" include_tasks: create-domain-conf.yml + +- name: include the docker-oauth2-proxy role + include_role: + name: docker-oauth2-proxy + when: oauth2_proxy_active | bool \ No newline at end of file diff --git a/tasks/update-repository-with-files.yml b/tasks/update-repository-with-files.yml index ecb56563..6d1e6991 100644 --- a/tasks/update-repository-with-files.yml +++ b/tasks/update-repository-with-files.yml @@ -1,3 +1,14 @@ +- name: "Add {{oauth2_configuration_file}} to detached_files if oauth2_proxy_active is true" + ansible.builtin.set_fact: + detached_files: >- + {{ + (detached_files | default([])) + + [oauth2_configuration_file] + if oauth2_configuration_file not in (detached_files | default([])) + else detached_files | default([]) + }} + when: oauth2_proxy_active | default(false) + - name: "backup detached files" command: > mv "{{docker_compose_instance_directory}}{{ item }}" "/tmp/{{docker_compose_project_name}}-{{ item }}.backup"