Implemented not working oauth2-proxy draft

2025-02-22 20:39:40 +01:00 · 2025-01-26 13:25:39 +01:00 · 2025-01-26 13:25:39 +01:00 · 7b9959af21
commit 7b9959af21
parent e6292663b4
8 changed files with 61 additions and 13 deletions
--- a/group_vars/all
+++ b/group_vars/all
@ -291,6 +291,17 @@ mybb_version:            "latest"
 #### Nextcloud
 nextcloud_version:          "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/

+#### OAuth2 Proxy
+oauth2_proxy_active:                  true
+oauth2_version:                       "latest"
+oauth2_proxy_redirect_url:            "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
+# oauth2_proxy_port:                  >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
+# oauth2_proxy_upstream_application:  # The name of the application which the server redirects to. Needs to be defined in role vars.
+
+#### Open Project
+# openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
+# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application.
+
 #### Peertube
 peertube_version:           "bookworm"

--- a/playbook.servers.yml
+++ b/playbook.servers.yml
@ -230,6 +230,7 @@
      vars:
        domain:             "{{domain_openproject}}"
        http_port:          8023
+        oauth2_proxy_port:  4180

 - name: setup gitlab hosts
  hosts: gitlab
--- a/roles/docker-openproject/templates/docker-compose.yml.j2
+++ b/roles/docker-openproject/templates/docker-compose.yml.j2
@ -22,6 +22,8 @@ services:

 {% include 'templates/docker/services/' + database_type + '.yml.j2' %}

+{% include 'templates/docker/services/oauth2-proxy.yml.j2' %}
+
  cache:
    image: memcached
    container_name: openproject-memcached
@ -38,7 +40,7 @@ services:
    container_name: openproject-proxy
    command: "./docker/prod/proxy"
    ports:
-      - "${PORT}:80"
+      - "127.0.0.1:{{http_port}}:80"
    environment:
      APP_HOST: web
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
--- a/roles/docker-openproject/templates/env.j2
+++ b/roles/docker-openproject/templates/env.j2
@ -8,7 +8,6 @@
 #
 OPENPROJECT_HTTPS=true
 OPENPROJECT_HOST__NAME={{domain}}
-PORT=127.0.0.1:{{http_port}}
 OPENPROJECT_RAILS__RELATIVE__URL__ROOT=
 IMAP_ENABLED=false
 POSTGRES_PASSWORD="{{ database_password }}"
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@ -6,3 +6,6 @@ repository_address:                 "https://github.com/opf/openproject-deploy"
 database_type:                      "postgres"
 # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
 dummy_volume:                       "{{repository_directory}}dummy_volume"
+oauth2_proxy_client_secret:         "{{openproject_oauth2_proxy_client_secret}}"
+oauth2_proxy_cookie_secret:         "{{openproject_oauth2_proxy_cookie_secret}}"
+#oauth2_proxy_upstream_application:  ""
--- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
@ -2,6 +2,18 @@ server
 {
  server_name {{domain}};

+  # Include OAuth2 Proxy
+  {% if oauth2_proxy_active | bool %}
+  # OAuth2-Proxy-Endpunkte
+  location /oauth2/ {
+      proxy_pass http://127.0.0.1:{{oauth2_proxy_port}};
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+  }
+  {% endif %}
+
  # Include Matomo Tracking Code
  {% if nginx_matomo_tracking | bool %}
    {% include 'roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2' %}
--- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
@ -1,5 +1,10 @@
 location /
 {
+  {% if oauth2_proxy_active | bool %}
+  auth_request /oauth2/auth;
+  error_page 401 = /oauth2/start;
+  {% endif %}
+
  proxy_pass http://127.0.0.1:{{http_port}}/;

  # headers
--- a/templates/docker/services/oauth2-proxy.yml.j2
+++ b/templates/docker/services/oauth2-proxy.yml.j2
@ -0,0 +1,15 @@
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
+    restart: {{docker_restart_policy}}
+    environment:
+      OAUTH2_PROXY_PROVIDER:      "keycloak"                        # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub).
+      OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world"
+      OAUTH2_PROXY_CLIENT_ID:     "{{domain}}"                      # The client ID configured in Keycloak for the application.
+      OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}"  # The client secret configured in Keycloak for the application.
+      OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}"  # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`.
+      #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}"              # The allowed email domain(s) for authentication. Example: "example.com".
+      OAUTH2_PROXY_REDIRECT_URL:  "{{oauth2_proxy_redirect_url}}"   # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
+      OAUTH2_PROXY_UPSTREAMS:     "http://127.0.0.1:{{http_port}}"  # The internal upstream service (your application) that OAuth2-Proxy protects.
+    ports:
+      - "127.0.0.1:{{oauth2_proxy_port}}:4180"
+{% include 'templates/docker/container/networks.yml.j2' %}