diff --git a/group_vars/all b/group_vars/all index 725195ad..8aaf49e6 100644 --- a/group_vars/all +++ b/group_vars/all @@ -270,7 +270,7 @@ mastodon_single_user_mode: false matrix_administrator_username: "{{administrator_username}}" # Accountname of the matrix admin matrix_playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start matrix_role: "compose" # Role to setup Matrix. Valid values: ansible, compose -matrix_server_name: "{{primary_domain}}" # Adress for the account names etc. +matrix_server_name: "{{primary_domain}}" # Adress for the account names etc. matrix_synapse_version: "latest" matrix_element_version: "latest" @@ -286,17 +286,28 @@ moodle_administrator_email: "{{administrator_email}}" moodle_version: "latest" #### MyBB -mybb_version: "latest" +mybb_version: "latest" #### Nextcloud -nextcloud_version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ +nextcloud_version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ + +#### OAuth2 Proxy +oauth2_proxy_active: true +oauth2_version: "latest" +oauth2_proxy_redirect_url: "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. +# oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy. +# oauth2_proxy_upstream_application: # The name of the application which the server redirects to. Needs to be defined in role vars. + +#### Open Project +# openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. +# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application. #### Peertube -peertube_version: "bookworm" +peertube_version: "bookworm" #### Pixelfed -pixelfed_app_name: "Pictures on {{primary_domain}}" -pixelfed_version: "latest" +pixelfed_app_name: "Pictures on {{primary_domain}}" +pixelfed_version: "latest" #### Postgres # Please set an version in your inventory file - Rolling release for postgres isn't recommended diff --git a/playbook.servers.yml b/playbook.servers.yml index a692c588..742e975f 100644 --- a/playbook.servers.yml +++ b/playbook.servers.yml @@ -228,8 +228,9 @@ roles: - role: docker-openproject vars: - domain: "{{domain_openproject}}" - http_port: 8023 + domain: "{{domain_openproject}}" + http_port: 8023 + oauth2_proxy_port: 4180 - name: setup gitlab hosts hosts: gitlab diff --git a/roles/docker-openproject/templates/docker-compose.yml.j2 b/roles/docker-openproject/templates/docker-compose.yml.j2 index d9d9e444..c4e0f96a 100644 --- a/roles/docker-openproject/templates/docker-compose.yml.j2 +++ b/roles/docker-openproject/templates/docker-compose.yml.j2 @@ -22,6 +22,8 @@ services: {% include 'templates/docker/services/' + database_type + '.yml.j2' %} +{% include 'templates/docker/services/oauth2-proxy.yml.j2' %} + cache: image: memcached container_name: openproject-memcached @@ -38,7 +40,7 @@ services: container_name: openproject-proxy command: "./docker/prod/proxy" ports: - - "${PORT}:80" + - "127.0.0.1:{{http_port}}:80" environment: APP_HOST: web OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}" @@ -79,8 +81,8 @@ services: - "/var/run/docker.sock:/var/run/docker.sock" environment: AUTOHEAL_CONTAINER_LABEL: autoheal - AUTOHEAL_START_PERIOD: 600 - AUTOHEAL_INTERVAL: 30 + AUTOHEAL_START_PERIOD: 600 + AUTOHEAL_INTERVAL: 30 worker: <<: *app diff --git a/roles/docker-openproject/templates/env.j2 b/roles/docker-openproject/templates/env.j2 index 1a5ec540..c681f44d 100644 --- a/roles/docker-openproject/templates/env.j2 +++ b/roles/docker-openproject/templates/env.j2 @@ -8,7 +8,6 @@ # OPENPROJECT_HTTPS=true OPENPROJECT_HOST__NAME={{domain}} -PORT=127.0.0.1:{{http_port}} OPENPROJECT_RAILS__RELATIVE__URL__ROOT= IMAP_ENABLED=false POSTGRES_PASSWORD="{{ database_password }}" diff --git a/roles/docker-openproject/vars/main.yml b/roles/docker-openproject/vars/main.yml index 766d3a50..6602e309 100644 --- a/roles/docker-openproject/vars/main.yml +++ b/roles/docker-openproject/vars/main.yml @@ -5,4 +5,7 @@ database_password: "{{openproject_database_password}}" repository_address: "https://github.com/opf/openproject-deploy" database_type: "postgres" # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes -dummy_volume: "{{repository_directory}}dummy_volume" \ No newline at end of file +dummy_volume: "{{repository_directory}}dummy_volume" +oauth2_proxy_client_secret: "{{openproject_oauth2_proxy_client_secret}}" +oauth2_proxy_cookie_secret: "{{openproject_oauth2_proxy_cookie_secret}}" +#oauth2_proxy_upstream_application: "" \ No newline at end of file diff --git a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 index e5dde64e..6499da4a 100644 --- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 @@ -2,6 +2,18 @@ server { server_name {{domain}}; + # Include OAuth2 Proxy + {% if oauth2_proxy_active | bool %} + # OAuth2-Proxy-Endpunkte + location /oauth2/ { + proxy_pass http://127.0.0.1:{{oauth2_proxy_port}}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + {% endif %} + # Include Matomo Tracking Code {% if nginx_matomo_tracking | bool %} {% include 'roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2' %} diff --git a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 index aa696801..c22c713f 100644 --- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 @@ -1,5 +1,10 @@ location / { + {% if oauth2_proxy_active | bool %} + auth_request /oauth2/auth; + error_page 401 = /oauth2/start; + {% endif %} + proxy_pass http://127.0.0.1:{{http_port}}/; # headers diff --git a/templates/docker/services/oauth2-proxy.yml.j2 b/templates/docker/services/oauth2-proxy.yml.j2 new file mode 100644 index 00000000..7e574178 --- /dev/null +++ b/templates/docker/services/oauth2-proxy.yml.j2 @@ -0,0 +1,15 @@ + oauth2-proxy: + image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}} + restart: {{docker_restart_policy}} + environment: + OAUTH2_PROXY_PROVIDER: "keycloak" # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub). + OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world" + OAUTH2_PROXY_CLIENT_ID: "{{domain}}" # The client ID configured in Keycloak for the application. + OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}" # The client secret configured in Keycloak for the application. + OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}" # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`. + #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}" # The allowed email domain(s) for authentication. Example: "example.com". + OAUTH2_PROXY_REDIRECT_URL: "{{oauth2_proxy_redirect_url}}" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. + OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:{{http_port}}" # The internal upstream service (your application) that OAuth2-Proxy protects. + ports: + - "127.0.0.1:{{oauth2_proxy_port}}:4180" +{% include 'templates/docker/container/networks.yml.j2' %} \ No newline at end of file