refactored oauth2-proxy

group_vars/all

@@ -295,11 +295,12 @@ mybb_version:               "latest"
 nextcloud_version:          "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
 
 #### OAuth2 Proxy
-oauth2_proxy_active:                  true
+oauth2_configuration_file:            "oauth2-proxy-keycloak.cfg"
+oauth2_proxy_active:                  false       # Needs to be set true in the roles which use it
 oauth2_version:                       "latest"
 oauth2_proxy_redirect_url:            "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
-# oauth2_proxy_port:                  >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
-# oauth2_proxy_upstream_application:  # The name of the application which the server redirects to. Needs to be defined in role vars.
+# oauth2_proxy_port:                  >= 4180     # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
+# oauth2_proxy_upstream_application_and_port:  # The name of the application which the server redirects to. Needs to be defined in role vars.
 
 #### Open Project
 # openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. 

roles/docker-oauth2-proxy/README.md

@@ -0,0 +1 @@
+https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment/keycloak/oauth2-proxy-realm.json

roles/docker-oauth2-proxy/tasks/main.yml

@@ -1,6 +1,6 @@
 - name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}"
-  copy:
+  template:
     src: oauth2-proxy-keycloak.cfg.j2
-    dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg"
-#  notify:
-#    - docker compose project setup
+    dest: "{{docker_compose_instance_directory}}{{oauth2_configuration_file}}"
+  notify:
+    - docker compose project setup

roles/docker-oauth2-proxy/templates/container.yml.j2

@@ -1,24 +1,11 @@
   oauth2-proxy:
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
-    #image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
+    #image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
     restart: {{docker_restart_policy}}
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
-    #environment:
-    #  OAUTH2_PROXY_PROVIDER:      "keycloak"                        # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub).
-    #  OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world"
-    #  OAUTH2_PROXY_CLIENT_ID:     "{{domain}}"                      # The client ID configured in Keycloak for the application.
-    #  OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}"  # The client secret configured in Keycloak for the application.
-    #  OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}"  # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`.
-    #  #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}"              # The allowed email domain(s) for authentication. Example: "example.com".
-    #  OAUTH2_PROXY_REDIRECT_URL:  "{{oauth2_proxy_redirect_url}}"   # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
-    #  OAUTH2_PROXY_UPSTREAMS:     "http://127.0.0.1:{{http_port}}"  # The internal upstream service (your application) that OAuth2-Proxy protects.
     ports:
-    #  - "127.0.0.1:{{oauth2_proxy_port}}:4180"
-      - 4180:4180/tcp
+      - {{oauth2_proxy_port}}:4180/tcp
     volumes:
-      - "./oauth2-proxy-keycloak.cfg:/oauth2-proxy.cfg"
+      - "./{{oauth2_configuration_file}}:/oauth2-proxy.cfg"
 {% include 'templates/docker/container/networks.yml.j2' %}
-#      keycloak: {}
-#      httpbin: {}
-#      oauth2-proxy: {}

roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

@@ -2,14 +2,13 @@ http_address="0.0.0.0:4180"
 cookie_secret="{{oauth2_proxy_cookie_secret}}"
 email_domains="{{primary_domain}}"
 cookie_secure="false"
-upstreams="http://proxy:80"
-cookie_domains=["{{domain}}", "{{domain_keycloak}}"]    # Required so cookie can be read on all subdomains.
-whitelist_domains=[".{{primary_domain}}"]               # Required to allow redirection back to original requested target.
+upstreams="http://{{oauth2_proxy_upstream_application_and_port}}"
+cookie_domains=["{{domain}}", "{{domain_keycloak}}"]                # Required so cookie can be read on all subdomains.
+whitelist_domains=[".{{primary_domain}}"]                           # Required to allow redirection back to original requested target.
 
 # keycloak provider
 client_secret="{{oauth2_proxy_client_secret}}"
 client_id="{{domain}}"
-#redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
 redirect_url="https://{{domain}}/oauth2/callback"
 
 # in this case oauth2-proxy is going to visit

roles/docker-openproject/tasks/main.yml

@@ -8,13 +8,6 @@
 - name: "include tasks update-repository-with-docker-compose.yml"
   include_tasks: update-repository-with-docker-compose.yml
 
-- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}"
-  template:
-    src: roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
-    dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg"
-  notify:
-    - docker compose project setup
-
 - name: "Transfering Gemfile.plugins to {{docker_compose_instance_directory}}"
   copy:
     src: Gemfile.plugins

roles/docker-openproject/vars/main.yml

@@ -1,11 +1,14 @@
-docker_compose_project_name:        "openproject"
-repository_directory:               "{{ path_docker_compose_instances }}{{docker_compose_project_name}}/"
-docker_compose_instance_directory:  "{{repository_directory}}compose/"
-database_password:                  "{{openproject_database_password}}"
-repository_address:                 "https://github.com/opf/openproject-deploy"
-database_type:                      "postgres"
+docker_compose_project_name:                  "openproject"
+repository_directory:                         "{{ path_docker_compose_instances }}{{docker_compose_project_name}}/"
+docker_compose_instance_directory:            "{{repository_directory}}compose/"
+database_password:                            "{{openproject_database_password}}"
+repository_address:                           "https://github.com/opf/openproject-deploy"
+database_type:                                "postgres"
 # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
-dummy_volume:                       "{{repository_directory}}dummy_volume"
-oauth2_proxy_client_secret:         "{{openproject_oauth2_proxy_client_secret}}"
-oauth2_proxy_cookie_secret:         "{{openproject_oauth2_proxy_cookie_secret}}"
-#oauth2_proxy_upstream_application:  ""
+dummy_volume:                                 "{{repository_directory}}dummy_volume"
+
+# OAuth2 Proxy Configuration
+oauth2_proxy_client_secret:                   "{{openproject_oauth2_proxy_client_secret}}"
+oauth2_proxy_cookie_secret:                   "{{openproject_oauth2_proxy_cookie_secret}}"
+oauth2_proxy_upstream_application_and_port:   "proxy:80"
+oauth2_proxy_active:                          true

tasks/nginx-docker-proxy-domain.yml

@@ -3,3 +3,8 @@
 
 - name: "include task create-domain-conf.yml"
   include_tasks: create-domain-conf.yml
+
+- name: include the docker-oauth2-proxy role
+  include_role:
+    name: docker-oauth2-proxy
+  when: oauth2_proxy_active | bool

tasks/update-repository-with-files.yml

@@ -1,3 +1,14 @@
+- name: "Add {{oauth2_configuration_file}} to detached_files if oauth2_proxy_active is true"
+  ansible.builtin.set_fact:
+    detached_files: >-
+      {{
+        (detached_files | default([])) +
+        [oauth2_configuration_file]
+        if oauth2_configuration_file not in (detached_files | default([]))
+        else detached_files | default([])
+      }}
+  when: oauth2_proxy_active | default(false)
+
 - name: "backup detached files"
   command: >
     mv "{{docker_compose_instance_directory}}{{ item }}" "/tmp/{{docker_compose_project_name}}-{{ item }}.backup"