Implemented OAuth2-Proxy for LDAP

group_vars/all

@@ -296,13 +296,16 @@ mybb_version:               "latest"
 nextcloud_version:          "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
 
 #### OAuth2 Proxy
-oauth2_configuration_file:            "oauth2-proxy-keycloak.cfg"
-oauth2_proxy_active:                  false   # Needs to be set true in the roles which use it
-oauth2_version:                       "latest"
-oauth2_proxy_redirect_url:            "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
-# oauth2_proxy_port:                  >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
-# oauth2_proxy_upstream_application_and_port: # The name of the application which the server redirects to. Needs to be defined in role vars.
-oauth2_proxy_allowed_roles:           admin   # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
+oauth2_configuration_file:                    "oauth2-proxy-keycloak.cfg"
+oauth2_proxy_active:                          false                                     # Needs to be set true in the roles which use it
+oauth2_version:                               "latest"
+oauth2_proxy_redirect_url:                    "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
+# oauth2_proxy_port:                          >= 4180                                   # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
+oauth2_proxy_upstream_application_and_port:   "application:80"                          # The name of the application which the server redirects to. Needs to be defined in role vars.
+oauth2_proxy_allowed_roles:                   admin                                     # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
+oauth2_proxy_client_id:                       "{{primary_domain}}"                      # The id of the client application
+oauth2_proxy_client_secret:                   "{{primary_oauth2_proxy_client_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
+oauth2_proxy_cookie_secret:                   "{{primary_oauth2_proxy_cookie_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
 
 #### Open Project
 # openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
@@ -315,8 +318,8 @@ peertube_version:                         "bookworm"
 #### PHPMyAdmin
 phpmyadmin_version:                       "latest"
 phpmyadmin_autologin:                     false     # This is a high security risk. Just activate this option if you know what you're doing
-# phpmyadmin_oauth2_proxy_client_secret:    Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
-# phpmyadmin_oauth2_proxy_cookie_secret:    Needs to be defined in inventory # The client secret configured in Keycloak for the application.
+# phpmyadmin_oauth2_proxy_client_secret:  Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
+# phpmyadmin_oauth2_proxy_cookie_secret:  Needs to be defined in inventory # The client secret configured in Keycloak for the application.
 
 #### Pixelfed
 pixelfed_app_name:          "Pictures on {{primary_domain}}"

playbook.servers.yml

@@ -314,7 +314,8 @@
    -  role: docker-ldap
       vars:
         domain: "{{domain_ldap}}"
-        http_port: 8033
+        http_port:          8033
+        oauth2_proxy_port:  4182
 
 - name: setup PHPMyAdmin
   hosts: phpmyadmin

roles/docker-ldap/templates/docker-compose.yml.j2

@@ -1,11 +1,14 @@
 services:
-{% if ldap_webinterface == 'lam' %}
-  lam:
-    image: ghcr.io/ldapaccountmanager/lam:{{ldap_lam_version}}  # Dies ist das Docker-Image für LAM
-    container_name: lam
+
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
+  {{ldap_webinterface}}:
+    container_name: {{ldap_webinterface}}
     logging:
       driver: journald
     restart: {{docker_restart_policy}}
+{% if ldap_webinterface == 'lam' %}
+    image: ghcr.io/ldapaccountmanager/lam:{{ldap_lam_version}}      # Dies ist das Docker-Image für LAM
     ports:
       - 127.0.0.1:{{http_port}}:80 
     environment:                                                    # See all variables here: https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env  
@@ -23,12 +26,7 @@ services:
       LDAP_USER:           {{ldap_admin_dn}}                         # LDAP admin user (set as login user for LAM)
       LDAP_ADMIN_PASSWORD: {{ldap_administrator_database_password}}  # LDAP admin password
 {% elif ldap_webinterface == 'phpldapadmin' %}
-  phpldapadmin:
-    name: phpldapadmin
     image: leenooks/phpldapadmin:{{ldap_phpldapadmin_version}}
-    logging:
-      driver: journald
-    restart: {{docker_restart_policy}}
     ports:
       - 127.0.0.1:{{http_port}}:8080
     environment:
@@ -38,7 +36,7 @@ services:
 {% endif %}
   openldap:
     image: bitnami/openldap:{{ldap_openldap_version}}
-    name: openldap
+    container_name: openldap
     logging:
       driver: journald
     restart: {{docker_restart_policy}}

roles/docker-ldap/vars/main.yml

@@ -4,3 +4,7 @@ ldap_admin_dn:                "cn={{ldap_administrator_username}},{{ldap_root}}"
 ldap_secure_localhost_port:   1636
 ldap_secure_internet_port:    636
 ldap_localhost_port:          389
+
+# OAuth2 Proxy Configuration
+oauth2_proxy_upstream_application_and_port: "{{ ldap_webinterface }}:{% if ldap_webinterface == 'phpldapadmin' %}8080{% else %}{{ ldap_webinterface }}80{% endif %}"
+oauth2_proxy_active:  true

roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

@@ -8,12 +8,12 @@ whitelist_domains       =   [".{{primary_domain}}"]
 
 # keycloak provider
 client_secret           =   "{{oauth2_proxy_client_secret}}"
-client_id               =   "{{domain}}"
+client_id               =   "{{oauth2_proxy_client_id}}"
 redirect_url            =   "https://{{domain}}/oauth2/callback"
 oidc_issuer_url         =   "https://{{domain_keycloak}}/realms/{{primary_domain}}"
 provider                =   "oidc"
 provider_display_name   =   "Keycloak"
 
 # role restrictions
-cookie_roles            =   "realm_access.roles"
+#cookie_roles            =   "realm_access.roles"
 allowed_roles           =   "{{oauth2_proxy_allowed_roles}}"

roles/docker-openproject/vars/main.yml

@@ -12,3 +12,4 @@ oauth2_proxy_client_secret:                   "{{openproject_oauth2_proxy_client
 oauth2_proxy_cookie_secret:                   "{{openproject_oauth2_proxy_cookie_secret}}"
 oauth2_proxy_upstream_application_and_port:   "proxy:80"
 oauth2_proxy_active:                          true
+oauth2_proxy_client_id:                        "{{domain}}"

roles/docker-phpmyadmin/vars/main.yml

@@ -2,7 +2,7 @@ docker_compose_project_name:  "phpmyadmin"
 database_type:                "mariadb"
 database_host:                "{{ 'central-' + database_type if enable_central_database}}"
 # OAuth2 Proxy Configuration
-oauth2_proxy_client_secret:                   "{{phpmyadmin_oauth2_proxy_client_secret}}"
-oauth2_proxy_cookie_secret:                   "{{phpmyadmin_oauth2_proxy_cookie_secret}}"
-oauth2_proxy_upstream_application_and_port:   "application:80"
-oauth2_proxy_active:                          true
+oauth2_proxy_client_secret: "{{phpmyadmin_oauth2_proxy_client_secret}}"
+oauth2_proxy_cookie_secret: "{{phpmyadmin_oauth2_proxy_cookie_secret}}"
+oauth2_proxy_active:        true
+oauth2_proxy_client_id:      "{{domain}}"