kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 20:39:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added auto oidc parameters to discourse

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-01-27 11:51:14 +01:00
parent c896057400
commit 69a98c4c24
4 changed files with 30 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
group_vars/all
View File

@ -217,10 +217,10 @@ akaunting_company_email: "{{administrator_email}}"
akaunting_setup_admin_email: "{{administrator_email}}" akaunting_setup_admin_email: "{{administrator_email}}"
#### Attendize #### Attendize
attendize_version: "latest" attendize_version: "latest"
#### Baserow #### Baserow
baserow_version: "latest" baserow_version: "latest"
#### Big Blue Button #### Big Blue Button
bigbluebutton_enable_greenlight: "true" bigbluebutton_enable_greenlight: "true"
@ -244,7 +244,14 @@ joomla_version: "latest"
#### Keycloak #### Keycloak
keycloak_version: "latest" keycloak_version: "latest"
keycloak_administrator_username: "{{administrator_username}}" # Administrator Username for Keycloak keycloak_administrator_username: "{{administrator_username}}" # Administrator Username for Keycloak
keycloak_oidc_active: true # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
##### Keycloak Client Configuration
oidc_client_active: true # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
oidc_client_id: "{{primary_domain}}"
oidc_client_realm: "{{primary_domain}}"
oidc_client_issuer_url: "https://{{domain_keycloak}}/realms/{{oidc_client_realm}}"
oidc_client_discovery_document: "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
# oidc_client_secret: "{{oidc_client_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
#### LDAP #### LDAP
ldap_lam_version: "latest" ldap_lam_version: "latest"
@ -304,17 +311,14 @@ oauth2_proxy_redirect_url: "https://{{domain_keycloak}}/auth/
# oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy. # oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
oauth2_proxy_upstream_application_and_port: "application:80" # The name of the application which the server redirects to. Needs to be defined in role vars. oauth2_proxy_upstream_application_and_port: "application:80" # The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups oauth2_proxy_allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups
oauth2_proxy_client_id: "{{primary_domain}}" # The id of the client application #oauth2_proxy_cookie_secret: "{{oauth2_proxy_cookie_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
oauth2_proxy_client_secret: "{{primary_oauth2_proxy_client_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
oauth2_proxy_cookie_secret: "{{primary_oauth2_proxy_cookie_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
oauth2_proxy_oidc_issuer_url: "https://{{domain_keycloak}}/realms/{{primary_domain}}"
#### Peertube #### Peertube
peertube_version: "bookworm" peertube_version: "bookworm"
#### PHPMyAdmin #### PHPMyAdmin
phpmyadmin_version: "latest" phpmyadmin_version: "latest"
phpmyadmin_autologin: false # This is a high security risk. Just activate this option if you know what you're doing phpmyadmin_autologin: false # This is a high security risk. Just activate this option if you know what you're doing
#### Pixelfed #### Pixelfed
pixelfed_app_name: "Pictures on {{primary_domain}}" pixelfed_app_name: "Pictures on {{primary_domain}}"

8
roles/docker-bigbluebutton/templates/env.j2
View File

@ -281,12 +281,12 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
# approval - For approve/decline registration # approval - For approve/decline registration
DEFAULT_REGISTRATION=invite DEFAULT_REGISTRATION=invite
{% if keycloak_oidc_active | bool %} {% if oidc_client_active | bool %}
### EXTERNAL AUTHENTICATION METHODS ### EXTERNAL AUTHENTICATION METHODS
# @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/ # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
# #
OPENID_CONNECT_CLIENT_ID={{oauth2_proxy_client_id}} OPENID_CONNECT_CLIENT_ID={{oidc_client_id}}
OPENID_CONNECT_CLIENT_SECRET={{oauth2_proxy_client_secret}} OPENID_CONNECT_CLIENT_SECRET={{oidc_client_secret}}
OPENID_CONNECT_ISSUER={{oauth2_proxy_oidc_issuer_url}} OPENID_CONNECT_ISSUER={{oidc_client_issuer_url}}
OPENID_CONNECT_REDIRECT=https://{{domain}} OPENID_CONNECT_REDIRECT=https://{{domain}}
{% endif %} {% endif %}

9
roles/docker-discourse/templates/discourse_application.yml.j2
View File

@ -112,6 +112,15 @@ run:
## If you want to set the 'From' email address for your first registration, uncomment and change: ## If you want to set the 'From' email address for your first registration, uncomment and change:
## After getting the first signup email, re-comment the line. It only needs to run once. ## After getting the first signup email, re-comment the line. It only needs to run once.
#- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'" #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
{% if oidc_client_active | bool %}
- exec: rails r "SiteSetting.openid_connect_enabled = true"
- exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc_client_discovery_document}}'"
- exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc_client_id}}'"
- exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc_client_secret}}'"
- exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = ''"
- exec: rails r "SiteSetting.openid_connect_allow_association_change = false"
- exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true"
{% endif %}
- exec: echo "End of custom commands" - exec: echo "End of custom commands"
docker_args: docker_args:

6
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -7,10 +7,10 @@ cookie_domains = ["{{domain}}", "{{domain_keycloak}}"]
whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target. whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target.
# keycloak provider # keycloak provider
client_secret = "{{oauth2_proxy_client_secret}}" client_secret = "{{oidc_client_secret}}"
client_id = "{{oauth2_proxy_client_id}}" client_id = "{{oidc_client_id}}"
redirect_url = "https://{{domain}}/oauth2/callback" redirect_url = "https://{{domain}}/oauth2/callback"
oidc_issuer_url = "{{oauth2_proxy_oidc_issuer_url}}" oidc_issuer_url = "{{oidc_client_issuer_url}}"
provider = "oidc" provider = "oidc"
provider_display_name = "Keycloak" provider_display_name = "Keycloak"