pretix: enable OIDC support

- add pretix-oidc plugin installation (Dockerfile, version 2.3.1 default) - configure OIDC env vars (issuer, endpoints, client ID/secret, scopes, unique attribute) - enable redis + database, add config/data volumes - switch canonical domain to ticket.<PRIMARY_DOMAIN> with pretix.<PRIMARY_DOMAIN> alias - mirror GitLab-style OIDC var structure for consistency Implements pretix authentication via Keycloak/SSO. See: https://chatgpt.com/share/68b19721-341c-800f-b372-527164474018
2025-08-30 15:28:12 +02:00 · 2025-08-29 14:04:03 +02:00
parent f4ea6c6c0f
commit 092869b29a
5 changed files with 109 additions and 26 deletions
--- a/roles/web-app-pretix/config/main.yml
+++ b/roles/web-app-pretix/config/main.yml
@@ -1,31 +1,36 @@
 credentials: {}
 docker:
  images: {}                # @todo Move under services
  versions: {}              # @todo Move under services
  services:
    redis:
-      enabled:      false   # Enable Redis 
+      enabled:  true
    database:
-      enabled:      false   # Enable the database 
+      enabled:  true
    application:
      image:    pretix/standalone
      version:  stable
      name:     pretix
  volumes:
    data:       "pretix_data"
    config:     "pretix_config"
 features:
-  matomo:           true    # Enable Matomo Tracking
+  matomo:           true
-  css:              true    # Enable Global CSS Styling
+  css:              true
-  desktop:  true    # Enable loading of app in iframe
+  desktop:          true
-  ldap:             false   # Enable LDAP Network
+  central_database: true
  central_database: false   # Enable Central Database Network
  recaptcha:        false   # Enable ReCaptcha
  oauth2:           false   # Enable the OAuth2-Proy
  javascript:       false   # Enables the custom JS in the javascript.js.j2 file   
  logout:           true
  oidc:             true
 server:
  csp:
-    whitelist:        {}      # URL's which should be whitelisted
+    whitelist:      {}
-    flags:            {}      # Flags which should be set
+    flags:          {}
  domains:
    canonical:
      - "ticket.{{ PRIMARY_DOMAIN }}"
    aliases:
      - "pretix.{{ PRIMARY_DOMAIN }}"
    aliases:          []      # Alias redirections to the first element of the canonical domains
 rbac:
  roles: {}
 plugins:
  oidc:
    version: "2.3.1"
--- a/roles/web-app-pretix/templates/Dockerfile.j2
+++ b/roles/web-app-pretix/templates/Dockerfile.j2
@@ -0,0 +1,4 @@
 ARG PRETIX_BASE_IMAGE={{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}
 FROM ${PRETIX_BASE_IMAGE}
 # Install OIDC auth plugin for Pretix
 RUN python -m pip install --no-cache-dir "pretix-oidc=={{ PRETIX_OIDC_PLUGIN_VERSION }}"
--- a/roles/web-app-pretix/templates/docker-compose.yml.j2
+++ b/roles/web-app-pretix/templates/docker-compose.yml.j2
@@ -1,20 +1,32 @@
 services:
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
  application:
-    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
+    build:
-    volumes: []
+      context: .
      dockerfile: Dockerfile
      args:
        PRETIX_BASE_IMAGE: "{{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}"
    image: "{{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}-oidc"
    container_name: "{{ PRETIX_CONTAINER }}"
    hostname: '{{ PRETIX_HOSTNAME}}'
    command: ["all"]
    ports:
-      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
+      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:80"
    volumes:
      - 'data:/data'
      - 'config:/etc/pretix'
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
+    depends_on:
      - database
      - redis
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
  config:
    name: {{ PRETIX_CONF_VOLUME }}
  data:
    name: {{ PRETIX_DATA_VOLUME }}
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}
--- a/roles/web-app-pretix/templates/env.j2
+++ b/roles/web-app-pretix/templates/env.j2
@@ -0,0 +1,34 @@
 ## Pretix core
 PRETIX_PRETIX_INSTANCE_NAME="{{ PRIMARY_DOMAIN | upper }} Tickets"
 PRETIX_PRETIX_URL="{{ PRETIX_URL }}"
 PRETIX_PRETIX_AUTH_BACKENDS="pretix.base.auth.NativeAuthBackend{% if PRETIX_OIDC_ENABLED %},pretix_oidc.auth.OIDCAuthBackend{% endif %}"
 ## Locale
 PRETIX_LOCALE_TIMEZONE="{{ HOST_TIMEZONE }}"
 ## Database
 PRETIX_DATABASE_BACKEND="postgresql"
 PRETIX_DATABASE_NAME="{{ database_name }}"
 PRETIX_DATABASE_USER="{{ database_username }}"
 PRETIX_DATABASE_PASSWORD="{{ database_password }}"
 PRETIX_DATABASE_HOST="{{ database_host }}"
 PRETIX_DATABASE_PORT="{{ database_port }}"
 ## Redis
 PRETIX_REDIS_LOCATION="redis://redis:6379/1"
 PRETIX_REDIS_SESSIONS="true"
 ## OIDC (plugin)
 {% if PRETIX_OIDC_ENABLED %}
 PRETIX_OIDC_TITLE="{{ PRETIX_OIDC_LABEL | replace('\"','\\\"') }}"
 PRETIX_OIDC_ISSUER="{{ PRETIX_OIDC_ISSUER }}"
 PRETIX_OIDC_AUTHORIZATION_ENDPOINT="{{ PRETIX_OIDC_AUTH_URL }}"
 PRETIX_OIDC_TOKEN_ENDPOINT="{{ PRETIX_OIDC_TOKEN_URL }}"
 PRETIX_OIDC_USERINFO_ENDPOINT="{{ PRETIX_OIDC_USERINFO_URL }}"
 PRETIX_OIDC_END_SESSION_ENDPOINT="{{ PRETIX_OIDC_LOGOUT_URL }}"
 PRETIX_OIDC_JWKS_URI="{{ PRETIX_OIDC_JWKS_URL }}"
 PRETIX_OIDC_CLIENT_ID="{{ PRETIX_OIDC_CLIENT_ID }}"
 PRETIX_OIDC_CLIENT_SECRET="{{ PRETIX_OIDC_CLIENT_SECRET }}"
 PRETIX_OIDC_SCOPES="{{ PRETIX_OIDC_SCOPES }}"
 PRETIX_OIDC_UNIQUE_ATTRIBUTE="{{ PRETIX_OIDC_UNIQUE_ATTRIBUTE }}"
 {% endif %}
--- a/roles/web-app-pretix/vars/main.yml
+++ b/roles/web-app-pretix/vars/main.yml
@@ -1,2 +1,30 @@
-application_id: web-app-pretix # ID of the application
+application_id:                 "web-app-pretix"
-database_type:  0                    # Database type [postgres, mariadb]
+database_type:                  "postgres"
 container_port:                 80
 # URLs
 PRETIX_URL:                     "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
 PRETIX_HOSTNAME:                "{{ domains | get_domain(application_id) }}"
 # OIDC (mirrors GitLab’s pattern)
 PRETIX_OIDC_ENABLED:            "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
 PRETIX_OIDC_LABEL:              "{{ OIDC.BUTTON_TEXT }}"
 PRETIX_OIDC_CLIENT_ID:          "{{ OIDC.CLIENT.ID }}"
 PRETIX_OIDC_CLIENT_SECRET:      "{{ OIDC.CLIENT.SECRET }}"
 PRETIX_OIDC_ISSUER:             "{{ OIDC.CLIENT.ISSUER_URL }}"
 PRETIX_OIDC_AUTH_URL:           "{{ OIDC.CLIENT.AUTHORIZE_URL }}"
 PRETIX_OIDC_TOKEN_URL:          "{{ OIDC.CLIENT.TOKEN_URL }}"
 PRETIX_OIDC_USERINFO_URL:       "{{ OIDC.CLIENT.USER_INFO_URL }}"
 PRETIX_OIDC_LOGOUT_URL:         "{{ OIDC.CLIENT.LOGOUT_URL }}"
 PRETIX_OIDC_JWKS_URL:           "{{ OIDC.CLIENT.CERTS }}"
 PRETIX_OIDC_SCOPES:             "openid,email,profile"
 # Use Keycloak username claim by default (plugin default is 'sub')
 PRETIX_OIDC_UNIQUE_ATTRIBUTE:   "{{ OIDC.ATTRIBUTES.USERNAME }}"
 # Docker
 PRETIX_VERSION:                 "{{ applications | get_app_conf(application_id, 'docker.services.application.version') }}"
 PRETIX_IMAGE:                   "{{ applications | get_app_conf(application_id, 'docker.services.application.image') }}"
 PRETIX_CONTAINER:               "{{ applications | get_app_conf(application_id, 'docker.services.application.name') }}"
 PRETIX_DATA_VOLUME:             "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
 PRETIX_CONF_VOLUME:             "{{ applications | get_app_conf(application_id, 'docker.volumes.config') }}"
 PRETIX_OIDC_PLUGIN_VERSION:     "{{ applications | get_app_conf(application_id, 'plugins.oidc.version') }}"