Updated security for OAuth2 and optimized CSS

group_vars/all/07_applications.yml

@@ -126,6 +126,7 @@ defaults_applications:
       enabled:                        true                                      # Activate the OAuth2 Proxy for the LDAP Webinterface
       application:                    lam                                       # Needs to be the same as webinterface
       port:                           80                                        # If you use phpldapadmin set it to 8080
+#     cookie_secret:                  None                                      # Set via openssl rand -hex 16
     database:
       central_storage:                false                                     # LDAP doesn't use an database in the current configuration. Propably a good idea to implement one later. 
     # administrator_password:                                                   # CHANGE for security reasons in inventory file
@@ -164,6 +165,7 @@ defaults_applications:
     version:                          "latest"
     oauth2_proxy:
       enabled:                        false                         # Deactivated atm. @todo implement 
+#     cookie_secret:                  None                          # Set via openssl rand -hex 16
 #   database_password:                Null                          # Needs to be set in inventory file
 #   auth_token:                       Null                          # Needs to be set in inventory file
     css:
@@ -237,15 +239,13 @@ defaults_applications:
 #     database_password:  Null          # Needs to be set in inventory file
       administrator_username:           "{{administrator_username}}"
       administrator_initial_password:   "{{administrator_initial_password}}"
-
-
+      
   ## OAuth2 Proxy
   oauth2_proxy:
     configuration_file: "oauth2-proxy-keycloak.cfg"                                                                     # Needs to be set true in the roles which use it
     version:            "latest"                                                                                        # Docker Image version
     redirect_url:       "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"      # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
     allowed_roles:      admin                                                                                           # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
-    cookie_secret:      "{{ applications.oauth2_proxy.cookie_secret if applications.oauth2_proxy is defined else '' }}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
 
   ## Open Project
   openproject:
@@ -254,6 +254,7 @@ defaults_applications:
       enabled:            true    # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
       application:        "proxy"
       port:               "80"
+#     cookie_secret:      None    # Set via openssl rand -hex 16
     ldap_enabled:         True    # Enables LDAP by default
     database:
       central_storage:    True 
@@ -275,10 +276,11 @@ defaults_applications:
       enabled:            true
       port:               "80"
       application:        "application"
+#     cookie_secret:      None            # Set via openssl rand -hex 16
     database:
       central_storage:    True
     css:
-      enabled:            True           # The css needs more optimation for PHPMyAdmin
+      enabled:            False           # The css needs more optimation for PHPMyAdmin
 
   ## Pixelfed
   pixelfed:
@@ -316,7 +318,8 @@ defaults_applications:
       enabled:                true
       application:            "application"
       port:                   "80"
-      location:               "/admin/"                       # Protects the admin area
+      location:               "/admin/"       # Protects the admin area
+#     cookie_secret:          None            # Set via openssl rand -hex 16
     database:
       central_storage:        True
 

roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

@@ -1,7 +1,7 @@
 http_address            =   "0.0.0.0:4180"
-cookie_secret           =   "{{applications.oauth2_proxy.cookie_secret}}"
+cookie_secret           =   "{{applications[application_id].oauth2_proxy.cookie_secret}}"
 email_domains           =   "{{primary_domain}}"
-cookie_secure           =   "false"
+cookie_secure           =   "true"                                                  # True is necessary to force the cookie set via https
 upstreams               =   "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}"
 cookie_domains          =   ["{{domain}}", "{{domains.keycloak}}"]                  # Required so cookie can be read on all subdomains.
 whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.
@@ -15,5 +15,5 @@ provider                =   "oidc"
 provider_display_name   =   "Keycloak"
 
 # role restrictions
-#cookie_roles            =   "realm_access.roles"
-allowed_roles           =   "{{applications.oauth2_proxy.allowed_roles}}"
+#cookie_roles           =   "realm_access.roles"
+allowed_roles           =   "{{applications.oauth2_proxy.allowed_roles}}"           # This is not correct here. needs to be placed in applications @todo move there when implementing

roles/docker-openproject/vars/main.yml

@@ -1,6 +1,6 @@
 application_id:               "openproject"
 docker_repository_address:    "https://github.com/opf/openproject-deploy"
-database_password:            "{{openproject_database_password}}"
+database_password:            "{{applications[application_id].credentials.database_password}}"
 database_type:                "postgres"
 
 openproject_plugins_service:  "{{docker_compose.directories.services}}plugins/"

roles/nginx-modifier-css/templates/global.css.j2

@@ -847,6 +847,7 @@ html[native-dark-active] .btn, .btn {
     /* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */
     background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95));
     border-color: var(--color-85);
+    color: var(--color-12);
 }
 
 .card-body {
@@ -877,7 +878,7 @@ html[native-dark-active] .btn, .btn {
     color: var(--color-40);
 }
 
-/* Keycloak Header */
+/* Keycloak */
 div#app header, div#app header *{
     background-color: var(--color-60);
     /* New Gradient based on original background (60 -5, 60, 60 +1, 60 +5) */
@@ -998,7 +999,6 @@ div#mastodon .dropdown-button{
 
 div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, div#mastodon .button:hover{
     background-color: var(--color-71);
-    /* New Gradient based on original background (71 -5, 71, 71 +1, 71 +5) */
     background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-66), var(--color-71), var(--color-72), var(--color-76));
 }
 
@@ -1009,16 +1009,29 @@ div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, d
 /** OpenProject **/
 header.op-app-header{
     background-color: var(--color-40);
-    /* New Gradient based on original background (40 -5, 40, 40 +1, 40 +5) */
     background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-35), var(--color-40), var(--color-41), var(--color-45));
     color: var(--color-40);
 }
 
-/** Open Project **/
 div#wrapper button, div#wrapper input, button.top-menu-search-button, div.menu-sidebar a{
     background-color: transparent;
 }
 
+/* OAuth2 Proxy */
+{# The variables look like they are bootstrap variables. @todo Verify and generalize if possible #}
+.box {
+    background-color: var(--color-92);
+    color: var(--color-10);
+}
+
+.subtitle {
+    color: inherit;
+}
+
+.has-background-light {
+    background-color: var(--color-96) !important;
+}
+
 /* Pixelfed */
 div.page-wrapper{
     background: none;