Implemented not working oauth2-proxy draft

2025-10-31 02:10:05 +00:00 · 2025-01-26 13:25:39 +01:00
parent e6292663b4
commit 7b9959af21
8 changed files with 61 additions and 13 deletions
--- a/group_vars/all
+++ b/group_vars/all
@@ -270,7 +270,7 @@ mastodon_single_user_mode:        false
 matrix_administrator_username:  "{{administrator_username}}"  # Accountname of the matrix admin
 matrix_playbook_tags:           "setup-all,start"             # For the initial update use: install-all,ensure-matrix-users-created,start
 matrix_role:                    "compose"                     # Role to setup Matrix. Valid values: ansible, compose
-matrix_server_name:             "{{primary_domain}}"              # Adress for the account names etc.
+matrix_server_name:             "{{primary_domain}}"          # Adress for the account names etc.
 matrix_synapse_version:         "latest"
 matrix_element_version:         "latest"

@@ -286,17 +286,28 @@ moodle_administrator_email: "{{administrator_email}}"
 moodle_version:             "latest"

 #### MyBB
-mybb_version:            "latest"
+mybb_version:               "latest"

 #### Nextcloud
-nextcloud_version:      "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
+nextcloud_version:          "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
+
+#### OAuth2 Proxy
+oauth2_proxy_active:                  true
+oauth2_version:                       "latest"
+oauth2_proxy_redirect_url:            "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
+# oauth2_proxy_port:                  >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
+# oauth2_proxy_upstream_application:  # The name of the application which the server redirects to. Needs to be defined in role vars.
+
+#### Open Project
+# openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
+# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application.

 #### Peertube
-peertube_version:       "bookworm"
+peertube_version:           "bookworm"

 #### Pixelfed
-pixelfed_app_name:      "Pictures on {{primary_domain}}"
-pixelfed_version:       "latest"
+pixelfed_app_name:          "Pictures on {{primary_domain}}"
+pixelfed_version:           "latest"

 #### Postgres
 # Please set an version in your inventory file - Rolling release for postgres isn't recommended
--- a/playbook.servers.yml
+++ b/playbook.servers.yml
@@ -228,8 +228,9 @@
  roles:
   -  role: docker-openproject
      vars:
-        domain: "{{domain_openproject}}"
-        http_port: 8023
+        domain:             "{{domain_openproject}}"
+        http_port:          8023
+        oauth2_proxy_port:  4180

 - name: setup gitlab hosts
  hosts: gitlab
--- a/roles/docker-openproject/templates/docker-compose.yml.j2
+++ b/roles/docker-openproject/templates/docker-compose.yml.j2
@@ -22,6 +22,8 @@ services:

 {% include 'templates/docker/services/' + database_type + '.yml.j2' %}

+{% include 'templates/docker/services/oauth2-proxy.yml.j2' %}
+
  cache:
    image: memcached
    container_name: openproject-memcached
@@ -38,7 +40,7 @@ services:
    container_name: openproject-proxy
    command: "./docker/prod/proxy"
    ports:
-      - "${PORT}:80"
+      - "127.0.0.1:{{http_port}}:80"
    environment:
      APP_HOST: web
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
@@ -79,8 +81,8 @@ services:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      AUTOHEAL_CONTAINER_LABEL: autoheal
-      AUTOHEAL_START_PERIOD: 600
-      AUTOHEAL_INTERVAL: 30
+      AUTOHEAL_START_PERIOD:    600
+      AUTOHEAL_INTERVAL:        30

  worker:
    <<: *app
--- a/roles/docker-openproject/templates/env.j2
+++ b/roles/docker-openproject/templates/env.j2
@@ -8,7 +8,6 @@
 #
 OPENPROJECT_HTTPS=true
 OPENPROJECT_HOST__NAME={{domain}}
-PORT=127.0.0.1:{{http_port}}
 OPENPROJECT_RAILS__RELATIVE__URL__ROOT=
 IMAP_ENABLED=false
 POSTGRES_PASSWORD="{{ database_password }}"
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@@ -5,4 +5,7 @@ database_password:                  "{{openproject_database_password}}"
 repository_address:                 "https://github.com/opf/openproject-deploy"
 database_type:                      "postgres"
 # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
-dummy_volume:                       "{{repository_directory}}dummy_volume"
+dummy_volume:                       "{{repository_directory}}dummy_volume"
+oauth2_proxy_client_secret:         "{{openproject_oauth2_proxy_client_secret}}"
+oauth2_proxy_cookie_secret:         "{{openproject_oauth2_proxy_cookie_secret}}"
+#oauth2_proxy_upstream_application:  ""
--- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
@@ -2,6 +2,18 @@ server
 {
  server_name {{domain}};

+  # Include OAuth2 Proxy
+  {% if oauth2_proxy_active | bool %}
+  # OAuth2-Proxy-Endpunkte
+  location /oauth2/ {
+      proxy_pass http://127.0.0.1:{{oauth2_proxy_port}};
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+  }
+  {% endif %}
+
  # Include Matomo Tracking Code
  {% if nginx_matomo_tracking | bool %}
    {% include 'roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2' %}
--- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
@@ -1,5 +1,10 @@
 location /
 {
+  {% if oauth2_proxy_active | bool %}
+  auth_request /oauth2/auth;
+  error_page 401 = /oauth2/start;
+  {% endif %}
+
  proxy_pass http://127.0.0.1:{{http_port}}/;

  # headers
--- a/templates/docker/services/oauth2-proxy.yml.j2
+++ b/templates/docker/services/oauth2-proxy.yml.j2
@@ -0,0 +1,15 @@
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
+    restart: {{docker_restart_policy}}
+    environment:
+      OAUTH2_PROXY_PROVIDER:      "keycloak"                        # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub).
+      OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world"
+      OAUTH2_PROXY_CLIENT_ID:     "{{domain}}"                      # The client ID configured in Keycloak for the application.
+      OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}"  # The client secret configured in Keycloak for the application.
+      OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}"  # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`.
+      #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}"              # The allowed email domain(s) for authentication. Example: "example.com".
+      OAUTH2_PROXY_REDIRECT_URL:  "{{oauth2_proxy_redirect_url}}"   # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
+      OAUTH2_PROXY_UPSTREAMS:     "http://127.0.0.1:{{http_port}}"  # The internal upstream service (your application) that OAuth2-Proxy protects.
+    ports:
+      - "127.0.0.1:{{oauth2_proxy_port}}:4180"
+{% include 'templates/docker/container/networks.yml.j2' %}