pretix: enable OIDC support

- add pretix-oidc plugin installation (Dockerfile, version 2.3.1 default) - configure OIDC env vars (issuer, endpoints, client ID/secret, scopes, unique attribute) - enable redis + database, add config/data volumes - switch canonical domain to ticket.<PRIMARY_DOMAIN> with pretix.<PRIMARY_DOMAIN> alias - mirror GitLab-style OIDC var structure for consistency Implements pretix authentication via Keycloak/SSO. See: https://chatgpt.com/share/68b19721-341c-800f-b372-527164474018
2025-11-03 19:58:14 +00:00 · 2025-08-29 14:04:03 +02:00
parent f4ea6c6c0f
commit 092869b29a
5 changed files with 109 additions and 26 deletions
--- a/roles/web-app-pretix/config/main.yml
+++ b/roles/web-app-pretix/config/main.yml
@@ -1,31 +1,36 @@
-
 credentials: {}
 docker:
-  images: {}                # @todo Move under services
-  versions: {}              # @todo Move under services
  services:
    redis:
-      enabled:      false   # Enable Redis 
+      enabled:  true
    database:
-      enabled:      false   # Enable the database 
+      enabled:  true
+    application:
+      image:    pretix/standalone
+      version:  stable
+      name:     pretix
+  volumes:
+    data:       "pretix_data"
+    config:     "pretix_config"
 features:
-  matomo:           true    # Enable Matomo Tracking
-  css:              true    # Enable Global CSS Styling
-  desktop:  true    # Enable loading of app in iframe
-  ldap:             false   # Enable LDAP Network
-  central_database: false   # Enable Central Database Network
-  recaptcha:        false   # Enable ReCaptcha
-  oauth2:           false   # Enable the OAuth2-Proy
-  javascript:       false   # Enables the custom JS in the javascript.js.j2 file   
+  matomo:           true
+  css:              true
+  desktop:          true
+  central_database: true
  logout:           true
+  oidc:             true
 server:
  csp:
-    whitelist:        {}      # URL's which should be whitelisted
-    flags:            {}      # Flags which should be set
+    whitelist:      {}
+    flags:          {}
  domains:
    canonical:
+      - "ticket.{{ PRIMARY_DOMAIN }}"
+    aliases:
      - "pretix.{{ PRIMARY_DOMAIN }}"
-    aliases:          []      # Alias redirections to the first element of the canonical domains
 rbac:
  roles: {}
+plugins:
+  oidc:
+    version: "2.3.1"

--- a/roles/web-app-pretix/templates/Dockerfile.j2
+++ b/roles/web-app-pretix/templates/Dockerfile.j2
@@ -0,0 +1,4 @@
+ARG PRETIX_BASE_IMAGE={{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}
+FROM ${PRETIX_BASE_IMAGE}
+# Install OIDC auth plugin for Pretix
+RUN python -m pip install --no-cache-dir "pretix-oidc=={{ PRETIX_OIDC_PLUGIN_VERSION }}"
--- a/roles/web-app-pretix/templates/docker-compose.yml.j2
+++ b/roles/web-app-pretix/templates/docker-compose.yml.j2
@@ -1,20 +1,32 @@
-
 services:
-
 {% include 'roles/docker-compose/templates/base.yml.j2' %}

  application:
-    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
-    volumes: []
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        PRETIX_BASE_IMAGE: "{{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}"
+    image: "{{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}-oidc"
+    container_name: "{{ PRETIX_CONTAINER }}"
+    hostname: '{{ PRETIX_HOSTNAME}}'
+    command: ["all"]
    ports:
-      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
+      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:80"
+    volumes:
+      - 'data:/data'
+      - 'config:/etc/pretix'
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
+    depends_on:
+      - database
+      - redis
 {% include 'roles/docker-container/templates/networks.yml.j2' %}

 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
+  config:
+    name: {{ PRETIX_CONF_VOLUME }}
+  data:
+    name: {{ PRETIX_DATA_VOLUME }}

 {% include 'roles/docker-compose/templates/networks.yml.j2' %}
-
-
--- a/roles/web-app-pretix/templates/env.j2
+++ b/roles/web-app-pretix/templates/env.j2
@@ -0,0 +1,34 @@
+## Pretix core
+PRETIX_PRETIX_INSTANCE_NAME="{{ PRIMARY_DOMAIN | upper }} Tickets"
+PRETIX_PRETIX_URL="{{ PRETIX_URL }}"
+PRETIX_PRETIX_AUTH_BACKENDS="pretix.base.auth.NativeAuthBackend{% if PRETIX_OIDC_ENABLED %},pretix_oidc.auth.OIDCAuthBackend{% endif %}"
+
+## Locale
+PRETIX_LOCALE_TIMEZONE="{{ HOST_TIMEZONE }}"
+
+## Database
+PRETIX_DATABASE_BACKEND="postgresql"
+PRETIX_DATABASE_NAME="{{ database_name }}"
+PRETIX_DATABASE_USER="{{ database_username }}"
+PRETIX_DATABASE_PASSWORD="{{ database_password }}"
+PRETIX_DATABASE_HOST="{{ database_host }}"
+PRETIX_DATABASE_PORT="{{ database_port }}"
+
+## Redis
+PRETIX_REDIS_LOCATION="redis://redis:6379/1"
+PRETIX_REDIS_SESSIONS="true"
+
+## OIDC (plugin)
+{% if PRETIX_OIDC_ENABLED %}
+PRETIX_OIDC_TITLE="{{ PRETIX_OIDC_LABEL | replace('\"','\\\"') }}"
+PRETIX_OIDC_ISSUER="{{ PRETIX_OIDC_ISSUER }}"
+PRETIX_OIDC_AUTHORIZATION_ENDPOINT="{{ PRETIX_OIDC_AUTH_URL }}"
+PRETIX_OIDC_TOKEN_ENDPOINT="{{ PRETIX_OIDC_TOKEN_URL }}"
+PRETIX_OIDC_USERINFO_ENDPOINT="{{ PRETIX_OIDC_USERINFO_URL }}"
+PRETIX_OIDC_END_SESSION_ENDPOINT="{{ PRETIX_OIDC_LOGOUT_URL }}"
+PRETIX_OIDC_JWKS_URI="{{ PRETIX_OIDC_JWKS_URL }}"
+PRETIX_OIDC_CLIENT_ID="{{ PRETIX_OIDC_CLIENT_ID }}"
+PRETIX_OIDC_CLIENT_SECRET="{{ PRETIX_OIDC_CLIENT_SECRET }}"
+PRETIX_OIDC_SCOPES="{{ PRETIX_OIDC_SCOPES }}"
+PRETIX_OIDC_UNIQUE_ATTRIBUTE="{{ PRETIX_OIDC_UNIQUE_ATTRIBUTE }}"
+{% endif %}
--- a/roles/web-app-pretix/vars/main.yml
+++ b/roles/web-app-pretix/vars/main.yml
@@ -1,2 +1,30 @@
-application_id: web-app-pretix # ID of the application
-database_type:  0                    # Database type [postgres, mariadb]
+application_id:                 "web-app-pretix"
+database_type:                  "postgres"
+container_port:                 80
+
+# URLs
+PRETIX_URL:                     "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
+PRETIX_HOSTNAME:                "{{ domains | get_domain(application_id) }}"
+
+# OIDC (mirrors GitLab’s pattern)
+PRETIX_OIDC_ENABLED:            "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
+PRETIX_OIDC_LABEL:              "{{ OIDC.BUTTON_TEXT }}"
+PRETIX_OIDC_CLIENT_ID:          "{{ OIDC.CLIENT.ID }}"
+PRETIX_OIDC_CLIENT_SECRET:      "{{ OIDC.CLIENT.SECRET }}"
+PRETIX_OIDC_ISSUER:             "{{ OIDC.CLIENT.ISSUER_URL }}"
+PRETIX_OIDC_AUTH_URL:           "{{ OIDC.CLIENT.AUTHORIZE_URL }}"
+PRETIX_OIDC_TOKEN_URL:          "{{ OIDC.CLIENT.TOKEN_URL }}"
+PRETIX_OIDC_USERINFO_URL:       "{{ OIDC.CLIENT.USER_INFO_URL }}"
+PRETIX_OIDC_LOGOUT_URL:         "{{ OIDC.CLIENT.LOGOUT_URL }}"
+PRETIX_OIDC_JWKS_URL:           "{{ OIDC.CLIENT.CERTS }}"
+PRETIX_OIDC_SCOPES:             "openid,email,profile"
+# Use Keycloak username claim by default (plugin default is 'sub')
+PRETIX_OIDC_UNIQUE_ATTRIBUTE:   "{{ OIDC.ATTRIBUTES.USERNAME }}"
+
+# Docker
+PRETIX_VERSION:                 "{{ applications | get_app_conf(application_id, 'docker.services.application.version') }}"
+PRETIX_IMAGE:                   "{{ applications | get_app_conf(application_id, 'docker.services.application.image') }}"
+PRETIX_CONTAINER:               "{{ applications | get_app_conf(application_id, 'docker.services.application.name') }}"
+PRETIX_DATA_VOLUME:             "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+PRETIX_CONF_VOLUME:             "{{ applications | get_app_conf(application_id, 'docker.volumes.config') }}"
+PRETIX_OIDC_PLUGIN_VERSION:     "{{ applications | get_app_conf(application_id, 'plugins.oidc.version') }}"