kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 20:39:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implemented OAuth2-Proxy for LDAP

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-01-26 22:16:58 +01:00
parent b742ffd476
commit 54cac88d26
7 changed files with 35 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
group_vars/all
View File

@ -296,13 +296,16 @@ mybb_version: "latest"
nextcloud_version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ nextcloud_version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
#### OAuth2 Proxy #### OAuth2 Proxy
oauth2_configuration_file: "oauth2-proxy-keycloak.cfg" oauth2_configuration_file: "oauth2-proxy-keycloak.cfg"
oauth2_proxy_active: false # Needs to be set true in the roles which use it oauth2_proxy_active: false # Needs to be set true in the roles which use it
oauth2_version: "latest" oauth2_version: "latest"
oauth2_proxy_redirect_url: "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. oauth2_proxy_redirect_url: "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
# oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy. # oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
# oauth2_proxy_upstream_application_and_port: # The name of the application which the server redirects to. Needs to be defined in role vars. oauth2_proxy_upstream_application_and_port: "application:80" # The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups oauth2_proxy_allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups
oauth2_proxy_client_id: "{{primary_domain}}" # The id of the client application
oauth2_proxy_client_secret: "{{primary_oauth2_proxy_client_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
oauth2_proxy_cookie_secret: "{{primary_oauth2_proxy_cookie_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
#### Open Project #### Open Project
# openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. # openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application.
@ -315,8 +318,8 @@ peertube_version: "bookworm"
#### PHPMyAdmin #### PHPMyAdmin
phpmyadmin_version: "latest" phpmyadmin_version: "latest"
phpmyadmin_autologin: false # This is a high security risk. Just activate this option if you know what you're doing phpmyadmin_autologin: false # This is a high security risk. Just activate this option if you know what you're doing
# phpmyadmin_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. # phpmyadmin_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application.
# phpmyadmin_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application. # phpmyadmin_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application.
#### Pixelfed #### Pixelfed
pixelfed_app_name: "Pictures on {{primary_domain}}" pixelfed_app_name: "Pictures on {{primary_domain}}"

3
playbook.servers.yml
View File

@ -314,7 +314,8 @@
- role: docker-ldap - role: docker-ldap
vars: vars:
domain: "{{domain_ldap}}" domain: "{{domain_ldap}}"
http_port: 8033 http_port: 8033
oauth2_proxy_port: 4182
- name: setup PHPMyAdmin - name: setup PHPMyAdmin
hosts: phpmyadmin hosts: phpmyadmin

18
roles/docker-ldap/templates/docker-compose.yml.j2
View File

@ -1,11 +1,14 @@
services: services:
{% if ldap_webinterface == 'lam' %}
lam: {% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
image: ghcr.io/ldapaccountmanager/lam:{{ldap_lam_version}} # Dies ist das Docker-Image für LAM
container_name: lam {{ldap_webinterface}}:
container_name: {{ldap_webinterface}}
logging: logging:
driver: journald driver: journald
restart: {{docker_restart_policy}} restart: {{docker_restart_policy}}
{% if ldap_webinterface == 'lam' %}
image: ghcr.io/ldapaccountmanager/lam:{{ldap_lam_version}} # Dies ist das Docker-Image für LAM
ports: ports:
- 127.0.0.1:{{http_port}}:80 - 127.0.0.1:{{http_port}}:80
environment: # See all variables here: https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env environment: # See all variables here: https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env
@ -23,12 +26,7 @@ services:
LDAP_USER: {{ldap_admin_dn}} # LDAP admin user (set as login user for LAM) LDAP_USER: {{ldap_admin_dn}} # LDAP admin user (set as login user for LAM)
LDAP_ADMIN_PASSWORD: {{ldap_administrator_database_password}} # LDAP admin password LDAP_ADMIN_PASSWORD: {{ldap_administrator_database_password}} # LDAP admin password
{% elif ldap_webinterface == 'phpldapadmin' %} {% elif ldap_webinterface == 'phpldapadmin' %}
phpldapadmin:
name: phpldapadmin
image: leenooks/phpldapadmin:{{ldap_phpldapadmin_version}} image: leenooks/phpldapadmin:{{ldap_phpldapadmin_version}}
logging:
driver: journald
restart: {{docker_restart_policy}}
ports: ports:
- 127.0.0.1:{{http_port}}:8080 - 127.0.0.1:{{http_port}}:8080
environment: environment:
@ -38,7 +36,7 @@ services:
{% endif %} {% endif %}
openldap: openldap:
image: bitnami/openldap:{{ldap_openldap_version}} image: bitnami/openldap:{{ldap_openldap_version}}
name: openldap container_name: openldap
logging: logging:
driver: journald driver: journald
restart: {{docker_restart_policy}} restart: {{docker_restart_policy}}

6
roles/docker-ldap/vars/main.yml
View File

@ -3,4 +3,8 @@ ldap_root: "dc={{primary_domain_sld}},dc={{primary_domain_tld
ldap_admin_dn: "cn={{ldap_administrator_username}},{{ldap_root}}" ldap_admin_dn: "cn={{ldap_administrator_username}},{{ldap_root}}"
ldap_secure_localhost_port: 1636 ldap_secure_localhost_port: 1636
ldap_secure_internet_port: 636 ldap_secure_internet_port: 636
ldap_localhost_port: 389 ldap_localhost_port: 389
# OAuth2 Proxy Configuration
oauth2_proxy_upstream_application_and_port: "{{ ldap_webinterface }}:{% if ldap_webinterface == 'phpldapadmin' %}8080{% else %}{{ ldap_webinterface }}80{% endif %}"
oauth2_proxy_active: true

4
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -8,12 +8,12 @@ whitelist_domains = [".{{primary_domain}}"]
# keycloak provider # keycloak provider
client_secret = "{{oauth2_proxy_client_secret}}" client_secret = "{{oauth2_proxy_client_secret}}"
client_id = "{{domain}}" client_id = "{{oauth2_proxy_client_id}}"
redirect_url = "https://{{domain}}/oauth2/callback" redirect_url = "https://{{domain}}/oauth2/callback"
oidc_issuer_url = "https://{{domain_keycloak}}/realms/{{primary_domain}}" oidc_issuer_url = "https://{{domain_keycloak}}/realms/{{primary_domain}}"
provider = "oidc" provider = "oidc"
provider_display_name = "Keycloak" provider_display_name = "Keycloak"
# role restrictions # role restrictions
cookie_roles = "realm_access.roles" #cookie_roles = "realm_access.roles"
allowed_roles = "{{oauth2_proxy_allowed_roles}}" allowed_roles = "{{oauth2_proxy_allowed_roles}}"

3
roles/docker-openproject/vars/main.yml
View File

@ -11,4 +11,5 @@ dummy_volume: "{{repository_directory}}dummy_vol
oauth2_proxy_client_secret: "{{openproject_oauth2_proxy_client_secret}}" oauth2_proxy_client_secret: "{{openproject_oauth2_proxy_client_secret}}"
oauth2_proxy_cookie_secret: "{{openproject_oauth2_proxy_cookie_secret}}" oauth2_proxy_cookie_secret: "{{openproject_oauth2_proxy_cookie_secret}}"
oauth2_proxy_upstream_application_and_port: "proxy:80" oauth2_proxy_upstream_application_and_port: "proxy:80"
oauth2_proxy_active: true oauth2_proxy_active: true
oauth2_proxy_client_id: "{{domain}}"

8
roles/docker-phpmyadmin/vars/main.yml
View File

@ -2,7 +2,7 @@ docker_compose_project_name: "phpmyadmin"
database_type: "mariadb" database_type: "mariadb"
database_host: "{{ 'central-' + database_type if enable_central_database}}" database_host: "{{ 'central-' + database_type if enable_central_database}}"
# OAuth2 Proxy Configuration # OAuth2 Proxy Configuration
oauth2_proxy_client_secret: "{{phpmyadmin_oauth2_proxy_client_secret}}" oauth2_proxy_client_secret: "{{phpmyadmin_oauth2_proxy_client_secret}}"
oauth2_proxy_cookie_secret: "{{phpmyadmin_oauth2_proxy_cookie_secret}}" oauth2_proxy_cookie_secret: "{{phpmyadmin_oauth2_proxy_cookie_secret}}"
oauth2_proxy_upstream_application_and_port: "application:80" oauth2_proxy_active: true
oauth2_proxy_active: true oauth2_proxy_client_id: "{{domain}}"