From 092869b29aa239f731af95ccdeadbd5893d2a381 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 29 Aug 2025 14:04:03 +0200 Subject: [PATCH] pretix: enable OIDC support - add pretix-oidc plugin installation (Dockerfile, version 2.3.1 default) - configure OIDC env vars (issuer, endpoints, client ID/secret, scopes, unique attribute) - enable redis + database, add config/data volumes - switch canonical domain to ticket. with pretix. alias - mirror GitLab-style OIDC var structure for consistency Implements pretix authentication via Keycloak/SSO. See: https://chatgpt.com/share/68b19721-341c-800f-b372-527164474018 --- roles/web-app-pretix/config/main.yml | 37 +++++++++++-------- roles/web-app-pretix/templates/Dockerfile.j2 | 4 ++ .../templates/docker-compose.yml.j2 | 28 ++++++++++---- roles/web-app-pretix/templates/env.j2 | 34 +++++++++++++++++ roles/web-app-pretix/vars/main.yml | 32 +++++++++++++++- 5 files changed, 109 insertions(+), 26 deletions(-) diff --git a/roles/web-app-pretix/config/main.yml b/roles/web-app-pretix/config/main.yml index 14fffa9e..ff1dda98 100644 --- a/roles/web-app-pretix/config/main.yml +++ b/roles/web-app-pretix/config/main.yml @@ -1,31 +1,36 @@ - credentials: {} docker: - images: {} # @todo Move under services - versions: {} # @todo Move under services services: redis: - enabled: false # Enable Redis + enabled: true database: - enabled: false # Enable the database + enabled: true + application: + image: pretix/standalone + version: stable + name: pretix + volumes: + data: "pretix_data" + config: "pretix_config" features: - matomo: true # Enable Matomo Tracking - css: true # Enable Global CSS Styling - desktop: true # Enable loading of app in iframe - ldap: false # Enable LDAP Network - central_database: false # Enable Central Database Network - recaptcha: false # Enable ReCaptcha - oauth2: false # Enable the OAuth2-Proy - javascript: false # Enables the custom JS in the javascript.js.j2 file + matomo: true + css: true + desktop: true + central_database: true logout: true + oidc: true server: csp: - whitelist: {} # URL's which should be whitelisted - flags: {} # Flags which should be set + whitelist: {} + flags: {} domains: canonical: + - "ticket.{{ PRIMARY_DOMAIN }}" + aliases: - "pretix.{{ PRIMARY_DOMAIN }}" - aliases: [] # Alias redirections to the first element of the canonical domains rbac: roles: {} +plugins: + oidc: + version: "2.3.1" diff --git a/roles/web-app-pretix/templates/Dockerfile.j2 b/roles/web-app-pretix/templates/Dockerfile.j2 index e69de29b..4f40b24a 100644 --- a/roles/web-app-pretix/templates/Dockerfile.j2 +++ b/roles/web-app-pretix/templates/Dockerfile.j2 @@ -0,0 +1,4 @@ +ARG PRETIX_BASE_IMAGE={{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }} +FROM ${PRETIX_BASE_IMAGE} +# Install OIDC auth plugin for Pretix +RUN python -m pip install --no-cache-dir "pretix-oidc=={{ PRETIX_OIDC_PLUGIN_VERSION }}" diff --git a/roles/web-app-pretix/templates/docker-compose.yml.j2 b/roles/web-app-pretix/templates/docker-compose.yml.j2 index 83b62280..f801f453 100644 --- a/roles/web-app-pretix/templates/docker-compose.yml.j2 +++ b/roles/web-app-pretix/templates/docker-compose.yml.j2 @@ -1,20 +1,32 @@ - services: - {% include 'roles/docker-compose/templates/base.yml.j2' %} application: - image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}" - volumes: [] + build: + context: . + dockerfile: Dockerfile + args: + PRETIX_BASE_IMAGE: "{{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}" + image: "{{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}-oidc" + container_name: "{{ PRETIX_CONTAINER }}" + hostname: '{{ PRETIX_HOSTNAME}}' + command: ["all"] ports: - - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}" + - "127.0.0.1:{{ ports.localhost.http[application_id] }}:80" + volumes: + - 'data:/data' + - 'config:/etc/pretix' {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %} {% include 'roles/docker-container/templates/base.yml.j2' %} -{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %} + depends_on: + - database + - redis {% include 'roles/docker-container/templates/networks.yml.j2' %} {% include 'roles/docker-compose/templates/volumes.yml.j2' %} + config: + name: {{ PRETIX_CONF_VOLUME }} + data: + name: {{ PRETIX_DATA_VOLUME }} {% include 'roles/docker-compose/templates/networks.yml.j2' %} - - diff --git a/roles/web-app-pretix/templates/env.j2 b/roles/web-app-pretix/templates/env.j2 index e69de29b..e52b82e3 100644 --- a/roles/web-app-pretix/templates/env.j2 +++ b/roles/web-app-pretix/templates/env.j2 @@ -0,0 +1,34 @@ +## Pretix core +PRETIX_PRETIX_INSTANCE_NAME="{{ PRIMARY_DOMAIN | upper }} Tickets" +PRETIX_PRETIX_URL="{{ PRETIX_URL }}" +PRETIX_PRETIX_AUTH_BACKENDS="pretix.base.auth.NativeAuthBackend{% if PRETIX_OIDC_ENABLED %},pretix_oidc.auth.OIDCAuthBackend{% endif %}" + +## Locale +PRETIX_LOCALE_TIMEZONE="{{ HOST_TIMEZONE }}" + +## Database +PRETIX_DATABASE_BACKEND="postgresql" +PRETIX_DATABASE_NAME="{{ database_name }}" +PRETIX_DATABASE_USER="{{ database_username }}" +PRETIX_DATABASE_PASSWORD="{{ database_password }}" +PRETIX_DATABASE_HOST="{{ database_host }}" +PRETIX_DATABASE_PORT="{{ database_port }}" + +## Redis +PRETIX_REDIS_LOCATION="redis://redis:6379/1" +PRETIX_REDIS_SESSIONS="true" + +## OIDC (plugin) +{% if PRETIX_OIDC_ENABLED %} +PRETIX_OIDC_TITLE="{{ PRETIX_OIDC_LABEL | replace('\"','\\\"') }}" +PRETIX_OIDC_ISSUER="{{ PRETIX_OIDC_ISSUER }}" +PRETIX_OIDC_AUTHORIZATION_ENDPOINT="{{ PRETIX_OIDC_AUTH_URL }}" +PRETIX_OIDC_TOKEN_ENDPOINT="{{ PRETIX_OIDC_TOKEN_URL }}" +PRETIX_OIDC_USERINFO_ENDPOINT="{{ PRETIX_OIDC_USERINFO_URL }}" +PRETIX_OIDC_END_SESSION_ENDPOINT="{{ PRETIX_OIDC_LOGOUT_URL }}" +PRETIX_OIDC_JWKS_URI="{{ PRETIX_OIDC_JWKS_URL }}" +PRETIX_OIDC_CLIENT_ID="{{ PRETIX_OIDC_CLIENT_ID }}" +PRETIX_OIDC_CLIENT_SECRET="{{ PRETIX_OIDC_CLIENT_SECRET }}" +PRETIX_OIDC_SCOPES="{{ PRETIX_OIDC_SCOPES }}" +PRETIX_OIDC_UNIQUE_ATTRIBUTE="{{ PRETIX_OIDC_UNIQUE_ATTRIBUTE }}" +{% endif %} diff --git a/roles/web-app-pretix/vars/main.yml b/roles/web-app-pretix/vars/main.yml index 00327dba..537b4844 100644 --- a/roles/web-app-pretix/vars/main.yml +++ b/roles/web-app-pretix/vars/main.yml @@ -1,2 +1,30 @@ -application_id: web-app-pretix # ID of the application -database_type: 0 # Database type [postgres, mariadb] \ No newline at end of file +application_id: "web-app-pretix" +database_type: "postgres" +container_port: 80 + +# URLs +PRETIX_URL: "{{ domains | get_url(application_id, WEB_PROTOCOL) }}" +PRETIX_HOSTNAME: "{{ domains | get_domain(application_id) }}" + +# OIDC (mirrors GitLab’s pattern) +PRETIX_OIDC_ENABLED: "{{ applications | get_app_conf(application_id, 'features.oidc') }}" +PRETIX_OIDC_LABEL: "{{ OIDC.BUTTON_TEXT }}" +PRETIX_OIDC_CLIENT_ID: "{{ OIDC.CLIENT.ID }}" +PRETIX_OIDC_CLIENT_SECRET: "{{ OIDC.CLIENT.SECRET }}" +PRETIX_OIDC_ISSUER: "{{ OIDC.CLIENT.ISSUER_URL }}" +PRETIX_OIDC_AUTH_URL: "{{ OIDC.CLIENT.AUTHORIZE_URL }}" +PRETIX_OIDC_TOKEN_URL: "{{ OIDC.CLIENT.TOKEN_URL }}" +PRETIX_OIDC_USERINFO_URL: "{{ OIDC.CLIENT.USER_INFO_URL }}" +PRETIX_OIDC_LOGOUT_URL: "{{ OIDC.CLIENT.LOGOUT_URL }}" +PRETIX_OIDC_JWKS_URL: "{{ OIDC.CLIENT.CERTS }}" +PRETIX_OIDC_SCOPES: "openid,email,profile" +# Use Keycloak username claim by default (plugin default is 'sub') +PRETIX_OIDC_UNIQUE_ATTRIBUTE: "{{ OIDC.ATTRIBUTES.USERNAME }}" + +# Docker +PRETIX_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.application.version') }}" +PRETIX_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.application.image') }}" +PRETIX_CONTAINER: "{{ applications | get_app_conf(application_id, 'docker.services.application.name') }}" +PRETIX_DATA_VOLUME: "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}" +PRETIX_CONF_VOLUME: "{{ applications | get_app_conf(application_id, 'docker.volumes.config') }}" +PRETIX_OIDC_PLUGIN_VERSION: "{{ applications | get_app_conf(application_id, 'plugins.oidc.version') }}"