Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

roles/web-app-oauth2-proxy/templates/container.yml.j2

@@ -0,0 +1,11 @@
+{% if applications | is_feature_enabled('oauth2',application_id) %}
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:{{applications['oauth2-proxy'].version}}
+    restart: {{docker_restart_policy}}
+    command: --config /oauth2-proxy.cfg
+    hostname: oauth2-proxy
+    ports:
+      - {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp
+    volumes:
+      - "{{docker_compose.directories.volumes}}{{applications['oauth2-proxy'].configuration_file}}:/oauth2-proxy.cfg"
+{% endif %}

roles/web-app-oauth2-proxy/templates/endpoint.conf.j2

@@ -0,0 +1,16 @@
+  {# Include OAuth2 Proxy #}
+  {# Raise the maximal header size. #}
+  {# Keycloak uses huge headers for authentification #}
+  proxy_buffer_size 16k;
+  proxy_buffers 8 16k;
+  proxy_busy_buffers_size 16k;
+  large_client_header_buffers 4 16k;
+
+  # OAuth2-Proxy-Endpoint
+  location /oauth2/ {
+      proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy[application_id]}};
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+  }

roles/web-app-oauth2-proxy/templates/following_directives.conf.j2

@@ -0,0 +1,9 @@
+{# The following directives enforce OAuth2 authentication: #}
+
+auth_request /oauth2/auth;
+{# This directive issues an internal sub-request to '/oauth2/auth' for every incoming request. #}
+{# The sub-request checks if the client is authenticated. #}
+
+error_page 401 = /oauth2/start;
+{# If the authentication check fails (i.e., a 401 Unauthorized is returned), #}
+{# this directive redirects the client to '/oauth2/start', which typically initiates the OAuth2 login process. #}

roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

@@ -0,0 +1,24 @@
+http_address            =   "0.0.0.0:4180"
+cookie_secret           =   "{{ applications[oauth2_proxy_application_id].credentials.oauth2_proxy_cookie_secret }}"
+cookie_secure           =   "true"                                                                                                                                                  # True is necessary to force the cookie set via https
+upstreams               =   "http://{{ applications[oauth2_proxy_application_id].oauth2_proxy.application }}:{{ applications[oauth2_proxy_application_id].oauth2_proxy.port }}"
+cookie_domains          =   ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('keycloak') }}"]                                                   # Required so cookie can be read on all subdomains.
+whitelist_domains       =   [".{{ primary_domain }}"]                                                                                                                               # Required to allow redirection back to original requested target.
+
+# keycloak provider
+client_secret           =   "{{ oidc.client.secret }}"
+client_id               =   "{{ oidc.client.id }}"
+redirect_url            =   "{{ web_protocol }}://{{ domains | get_domain(oauth2_proxy_application_id) }}/oauth2/callback"
+oidc_issuer_url         =   "{{ oidc.client.issuer_url }}"
+provider                =   "oidc"
+provider_display_name   =   "{{ oidc.button_text }}"
+
+{% if applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups is defined %}
+{# role based restrictions #}
+scope                   =   "openid email profile {{ oidc.claims.groups }}"
+oidc_groups_claim       =   "{{ oidc.claims.groups }}"
+allowed_groups          =   {{ applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups | tojson }}
+email_domains           =   ["*"]
+{% else %}
+email_domains           =   "{{ primary_domain }}"
+{% endif %}