Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

roles/web-app-oauth2-proxy/README.md

@@ -0,0 +1,58 @@
+# Docker OAuth2 Proxy Role
+
+Welcome to the **Docker OAuth2 Proxy Role**! 🌟 This role contains helper functions to set up an OAuth2 proxy using [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy), a tool designed to secure applications by protecting them with OAuth2 authentication. 💡
+
+## Overview
+
+The OAuth2 Proxy is used to shield specific web applications from unauthorized access by requiring users to authenticate via an external identity provider, such as Keycloak. This role simplifies the setup process by providing templated configurations and tasks to integrate the OAuth2 Proxy with Docker Compose and Keycloak.
+
+## Features
+
+- 🚀 Automated configuration transfer to your Docker Compose instance.
+- 🔧 Template files for a fully customizable proxy setup.
+- 🔐 Integration with Keycloak as an OpenID Connect (OIDC) provider.
+- 🛡️ Configurations to secure applications and allow cookie-based authentication across subdomains.
+
+## How It Works
+
+The role includes the following key components:
+
+1. **Templates**:
+    - `oauth2-proxy-keycloak.cfg.j2`: A configuration file for the OAuth2 Proxy, pre-integrated with Keycloak as an identity provider.
+    - `container.yml.j2`: A container definition for the OAuth2 Proxy, specifying the image, ports, volumes, and restart policies.
+
+2. **Tasks**:
+    - A task to transfer the templated configuration to the Docker Compose instance directory.
+    - A notifier to trigger the setup of the Docker Compose project after transferring the configuration.
+
+3. **Integration**:
+    - Keycloak is configured as the OIDC provider, enabling seamless authentication and authorization.
+    - Upstream application support ensures traffic is securely proxied to the correct destination.
+
+## Why Use This Proxy?
+
+Using this proxy ensures that only authenticated users can access your protected applications. By leveraging OAuth2, you can:
+
+- ✅ Secure applications with minimal configuration.
+- ✅ Enable single sign-on (SSO) and centralized user management.
+- ✅ Restrict access to specific domains and subdomains.
+
+## Dependencies
+
+Before using this role, ensure you have the following:
+
+- Docker and Docker Compose installed on your system.
+- A running Keycloak instance configured with the appropriate realm and clients.
+
+## Learn More
+
+To learn more about OAuth2 Proxy, check out the [official documentation](https://oauth2-proxy.github.io/oauth2-proxy/).
+
+## Author
+
+This role was created and maintained by **Kevin Veen-Birkenbach**. 🌍 You can learn more about Kevin and his projects at [veen.world](https://www.veen.world).
+
+---
+
+Protect your web applications with ease and confidence! ✨
+

roles/web-app-oauth2-proxy/Setup.md

@@ -0,0 +1,9 @@
+# Setup
+
+## Cookie Secret
+
+To generate a cookie secret execute:
+
+```bash
+ansible-vault encrypt_string "$(openssl rand -hex 16)"
+```

roles/web-app-oauth2-proxy/Todo.md

@@ -0,0 +1,2 @@
+# Todo
+- Implement RBAC based authentification for admins

roles/web-app-oauth2-proxy/tasks/main.yml

@@ -0,0 +1,6 @@
+- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{(path_docker_compose_instances | get_docker_compose(oauth2_proxy_application_id)).directories.volumes}}"
+  template:
+    src: oauth2-proxy-keycloak.cfg.j2
+    dest: "{{(path_docker_compose_instances | get_docker_compose(oauth2_proxy_application_id)).directories.volumes}}{{applications[application_id].configuration_file}}"
+  notify:
+    - docker compose up

roles/web-app-oauth2-proxy/templates/container.yml.j2

@@ -0,0 +1,11 @@
+{% if applications | is_feature_enabled('oauth2',application_id) %}
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:{{applications['oauth2-proxy'].version}}
+    restart: {{docker_restart_policy}}
+    command: --config /oauth2-proxy.cfg
+    hostname: oauth2-proxy
+    ports:
+      - {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp
+    volumes:
+      - "{{docker_compose.directories.volumes}}{{applications['oauth2-proxy'].configuration_file}}:/oauth2-proxy.cfg"
+{% endif %}

roles/web-app-oauth2-proxy/templates/endpoint.conf.j2

@@ -0,0 +1,16 @@
+  {# Include OAuth2 Proxy #}
+  {# Raise the maximal header size. #}
+  {# Keycloak uses huge headers for authentification #}
+  proxy_buffer_size 16k;
+  proxy_buffers 8 16k;
+  proxy_busy_buffers_size 16k;
+  large_client_header_buffers 4 16k;
+
+  # OAuth2-Proxy-Endpoint
+  location /oauth2/ {
+      proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy[application_id]}};
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+  }

roles/web-app-oauth2-proxy/templates/following_directives.conf.j2

@@ -0,0 +1,9 @@
+{# The following directives enforce OAuth2 authentication: #}
+
+auth_request /oauth2/auth;
+{# This directive issues an internal sub-request to '/oauth2/auth' for every incoming request. #}
+{# The sub-request checks if the client is authenticated. #}
+
+error_page 401 = /oauth2/start;
+{# If the authentication check fails (i.e., a 401 Unauthorized is returned), #}
+{# this directive redirects the client to '/oauth2/start', which typically initiates the OAuth2 login process. #}

roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

@@ -0,0 +1,24 @@
+http_address            =   "0.0.0.0:4180"
+cookie_secret           =   "{{ applications[oauth2_proxy_application_id].credentials.oauth2_proxy_cookie_secret }}"
+cookie_secure           =   "true"                                                                                                                                                  # True is necessary to force the cookie set via https
+upstreams               =   "http://{{ applications[oauth2_proxy_application_id].oauth2_proxy.application }}:{{ applications[oauth2_proxy_application_id].oauth2_proxy.port }}"
+cookie_domains          =   ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('keycloak') }}"]                                                   # Required so cookie can be read on all subdomains.
+whitelist_domains       =   [".{{ primary_domain }}"]                                                                                                                               # Required to allow redirection back to original requested target.
+
+# keycloak provider
+client_secret           =   "{{ oidc.client.secret }}"
+client_id               =   "{{ oidc.client.id }}"
+redirect_url            =   "{{ web_protocol }}://{{ domains | get_domain(oauth2_proxy_application_id) }}/oauth2/callback"
+oidc_issuer_url         =   "{{ oidc.client.issuer_url }}"
+provider                =   "oidc"
+provider_display_name   =   "{{ oidc.button_text }}"
+
+{% if applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups is defined %}
+{# role based restrictions #}
+scope                   =   "openid email profile {{ oidc.claims.groups }}"
+oidc_groups_claim       =   "{{ oidc.claims.groups }}"
+allowed_groups          =   {{ applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups | tojson }}
+email_domains           =   ["*"]
+{% else %}
+email_domains           =   "{{ primary_domain }}"
+{% endif %}

roles/web-app-oauth2-proxy/vars/configuration.yml

@@ -0,0 +1,7 @@
+configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it
+version:            "latest"                    # Docker Image version
+allowed_roles:      "admin"                     # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
+features:
+  matomo: true
+  css: true
+  portfolio_iframe: false

roles/web-app-oauth2-proxy/vars/main.yml

@@ -0,0 +1 @@
+application_id: oauth2-proxy