diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 556763a2..9acf5a05 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -82,7 +82,6 @@ defaults_applications: lam: version: "latest" administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons - oauth2_proxy_active: true openldap: version: "latest" network: @@ -94,7 +93,10 @@ defaults_applications: webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin administrator_username: "{{administrator_username}}" ldap_enabled: True # Should have the same value as applications.ldap.openldap.network.local. - # Both need to be set to True to load the ldap_network in the docker compose file + oauth2_proxy: + enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface + application: lam # Needs to be the same as webinterface + port: 80 # If you use phpldapadmin set it to 8080 # administrator_password: # CHANGE for security reasons in inventory file # administrator_database_password: # CHANGE for security reasons in inventory file @@ -112,6 +114,8 @@ defaults_applications: ## Matomo matomo: version: "latest" + oauth2_proxy: + enabled: false # Deactivated atm. @todo implement ## Mastodon mastodon: @@ -163,9 +167,12 @@ defaults_applications: ## Open Project openproject: - version: "13" # Update when available. Sadly no rolling release implemented - oauth2_proxy_active: true - ldap_enabled: True # Enables LDAP by default + version: "13" # Update when available. Sadly no rolling release implemented + oauth2_proxy: + enabled: true # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed + application: "proxy" + port: "80" + ldap_enabled: True # Enables LDAP by default ## Peertube peertube: @@ -175,7 +182,10 @@ defaults_applications: phpmyadmin: version: "latest" autologin: false # This is a high security risk. Just activate this option if you know what you're doing - oauth2_proxy_active: true + oauth2_proxy: + enabled: true + port: "80" + application: "application" ## Pixelfed pixelfed: @@ -198,4 +208,9 @@ defaults_applications: ## YOURLS yourls: administrator_username: "{{administrator_username}}" - version: "latest" \ No newline at end of file + version: "latest" + oauth2_proxy: + enabled: true + application: "application" + port: "80" + location: "/admin/" # Protects the admin arear \ No newline at end of file diff --git a/group_vars/all/09_ports.yml b/group_vars/all/09_ports.yml index 9337b6eb..087201c7 100644 --- a/group_vars/all/09_ports.yml +++ b/group_vars/all/09_ports.yml @@ -7,6 +7,7 @@ ports: phpmyadmin: 4181 ldap: 4182 openproject: 4183 + yourls: 4184 ldap: openldap: 389 http: @@ -25,7 +26,7 @@ ports: roulette-wheel: 8013 joomla: 8014 attendize: 8015 - #matrix: 8016 Not used anymore + #matrix: 8016 Not used anymore baserow: 8017 matomo: 8018 listmonk: 8019 diff --git a/group_vars/all/10_networks.yml b/group_vars/all/10_networks.yml index 443199ce..3b48e1bf 100644 --- a/group_vars/all/10_networks.yml +++ b/group_vars/all/10_networks.yml @@ -50,8 +50,9 @@ defaults_networks: subnet: 192.168.102.48/28 nextcloud: subnet: 192.168.102.64/28 - oauth2_proxy: - subnet: 192.168.102.80/28 + # This network should be free. Use it for another application -> + #oauth2_proxy: + # subnet: 192.168.102.80/28 peertube: subnet: 192.168.102.96/28 phpmyadmin: diff --git a/group_vars/all/11_iam.yml b/group_vars/all/11_iam.yml index 9ae2caed..4eb1d3a1 100644 --- a/group_vars/all/11_iam.yml +++ b/group_vars/all/11_iam.yml @@ -7,7 +7,7 @@ ############################################# # @see https://en.wikipedia.org/wiki/OpenID_Connect -## Private configuration variables: +## Helper Variables: _oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}" _oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}" @@ -25,18 +25,11 @@ defaults_oidc: logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout" # Endpoint to log out the user change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in" # URL for managing or changing user credentials -############################################# -### OAuth2-Proxy ### -############################################# -# The name of the application which the server redirects to. Needs to be defined in role vars. -oauth2_proxy_upstream_application_and_port: "application:80" -oauth2_proxy_active: false - ############################################# ### LDAP ### ############################################# -# Helper variables +# Helper Variables: _ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" ldap: diff --git a/roles/docker-keycloak/templates/import/realm.json.j2 b/roles/docker-keycloak/templates/import/realm.json.j2 index 262d88e1..44d9cc87 100644 --- a/roles/docker-keycloak/templates/import/realm.json.j2 +++ b/roles/docker-keycloak/templates/import/realm.json.j2 @@ -836,7 +836,7 @@ "redirectUris": [ {%- set redirect_uris = [] -%} {%- for application, domain in defaults_domains.items() -%} - {%- if applications[application] is defined and applications[application].oauth2_proxy_active is defined and applications[application].oauth2_proxy_active -%} + {%- if applications[application_id] is defined and applications[application_id].oauth2_proxy.enabled | default(false) | bool -%} {%- if domain is string -%} {%- set _ = redirect_uris.append("https://" ~ domain ~ "/*") -%} {%- else -%} diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index f7853aa7..655b0b51 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -2,10 +2,6 @@ application_id: "ldap" ldaps_docker_port: 636 ldap_docker_port: 389 -# OAuth2 Proxy Configuration -oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}" -oauth2_proxy_active: "{{ applications.ldap.lam.oauth2_proxy_active | bool }}" - enable_wildcard_certificate: false # Activate dedicated Certificate # Configuration for ldif import diff --git a/roles/docker-matomo/tasks/main.yml b/roles/docker-matomo/tasks/main.yml index 083e1657..df371fad 100644 --- a/roles/docker-matomo/tasks/main.yml +++ b/roles/docker-matomo/tasks/main.yml @@ -23,8 +23,6 @@ - name: "include role nginx-domain-setup for {{application_id}}" include_role: name: nginx-domain-setup - vars: - oauth2_proxy_active: false # Deactivate prox, in case it got activated by another app when: run_once_docker_matomo is not defined - name: "copy docker-compose.yml and env file" diff --git a/roles/docker-matrix-compose/tasks/create-and-seed-database.yml b/roles/docker-matrix-compose/tasks/create-and-seed-database.yml index 727b020c..15e3403c 100644 --- a/roles/docker-matrix-compose/tasks/create-and-seed-database.yml +++ b/roles/docker-matrix-compose/tasks/create-and-seed-database.yml @@ -10,4 +10,4 @@ when: enable_central_database | bool - name: "include seed-database-to-backup.yml" - include_tasks: ""{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml" \ No newline at end of file + include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml" \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/templates/container.yml.j2 b/roles/docker-oauth2-proxy/templates/container.yml.j2 index bd72db0a..32931182 100644 --- a/roles/docker-oauth2-proxy/templates/container.yml.j2 +++ b/roles/docker-oauth2-proxy/templates/container.yml.j2 @@ -1,3 +1,4 @@ +{% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %} oauth2-proxy: image: quay.io/oauth2-proxy/oauth2-proxy:{{applications.oauth2_proxy.version}} restart: {{docker_restart_policy}} @@ -6,4 +7,5 @@ ports: - {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp volumes: - - "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg" \ No newline at end of file + - "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg" +{% endif %} \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 index 6f1ec7a6..e9678410 100644 --- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 +++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -2,7 +2,7 @@ http_address = "0.0.0.0:4180" cookie_secret = "{{applications.oauth2_proxy.cookie_secret}}" email_domains = "{{primary_domain}}" cookie_secure = "false" -upstreams = "http://{{oauth2_proxy_upstream_application_and_port}}" +upstreams = "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}" cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains. whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target. diff --git a/roles/docker-openproject/vars/main.yml b/roles/docker-openproject/vars/main.yml index d27c98d9..ff9c377a 100644 --- a/roles/docker-openproject/vars/main.yml +++ b/roles/docker-openproject/vars/main.yml @@ -9,8 +9,4 @@ custom_openproject_image: "custom_openproject" # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes -dummy_volume: "{{docker_compose.directories.volumes}}dummy_volume" - -# OAuth2 Proxy Configuration -oauth2_proxy_upstream_application_and_port: "proxy:80" -oauth2_proxy_active: "{{ applications.openproject.oauth2_proxy_active | bool }}" \ No newline at end of file +dummy_volume: "{{docker_compose.directories.volumes}}dummy_volume" \ No newline at end of file diff --git a/roles/docker-phpmyadmin/vars/main.yml b/roles/docker-phpmyadmin/vars/main.yml index a6be9d84..2f0fb781 100644 --- a/roles/docker-phpmyadmin/vars/main.yml +++ b/roles/docker-phpmyadmin/vars/main.yml @@ -1,4 +1,3 @@ application_id: "phpmyadmin" database_type: "mariadb" -database_host: "{{ 'central-' + database_type if enable_central_database}}" -oauth2_proxy_active: "{{ applications.phpmyadmin.oauth2_proxy_active | bool }}" \ No newline at end of file +database_host: "{{ 'central-' + database_type if enable_central_database}}" \ No newline at end of file diff --git a/roles/docker-yourls/templates/docker-compose.yml.j2 b/roles/docker-yourls/templates/docker-compose.yml.j2 index 447902f3..ee75f665 100644 --- a/roles/docker-yourls/templates/docker-compose.yml.j2 +++ b/roles/docker-yourls/templates/docker-compose.yml.j2 @@ -2,6 +2,8 @@ services: {% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %} +{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %} + application: image: yourls:{{applications.yourls.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} diff --git a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 index 0dd85365..e4803d6d 100644 --- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 @@ -2,19 +2,34 @@ server { server_name {{domain}}; - {% if oauth2_proxy_active | bool %} + {% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %} {% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%} {% endif %} {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%} {% if nginx_docker_reverse_proxy_extra_configuration is defined %} - # Additional Domain Specific Configuration + {# Additional Domain Specific Configuration #} {{nginx_docker_reverse_proxy_extra_configuration}} {% endif %} {% include 'roles/letsencrypt/templates/ssl_header.j2' %} - {% include 'proxy_pass.conf.j2' %} - + {% if applications[application_id].oauth2_proxy.enabled | default(false) %} + {% if applications[application_id].oauth2_proxy.location is defined %} + {# Exposed and Unprotected Location #} + {% include 'proxy_pass.conf.j2' %} + {% set oauth2_proxy_enabled = true %} + {% set location = applications[application_id].oauth2_proxy.location %} + {# Gated Location by OAuth2 Proxy #} + {% include 'proxy_pass.conf.j2' %} + {% else %} + {% set oauth2_proxy_enabled = true %} + {# Protected Domain by OAuth2 Proxy #} + {% include 'proxy_pass.conf.j2'%} + {% endif %} + {% else %} + {# Exposed Domain - Not protected by OAuth2 Proxy #} + {% include 'proxy_pass.conf.j2' %} + {% endif %} } diff --git a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 index 262fd2f0..5267d748 100644 --- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 @@ -1,6 +1,6 @@ -location / +location {{location | default("/")}} { - {% if oauth2_proxy_active | bool %} + {% if oauth2_proxy_enabled | default(false) | bool %} {% include 'roles/docker-oauth2-proxy/templates/following_directives.conf.j2'%} {% endif %} diff --git a/roles/nginx-domain-setup/tasks/main.yml b/roles/nginx-domain-setup/tasks/main.yml index 7a93f7b6..8b695156 100644 --- a/roles/nginx-domain-setup/tasks/main.yml +++ b/roles/nginx-domain-setup/tasks/main.yml @@ -9,7 +9,6 @@ - name: "Relevant variables for role: {{ role_path | basename }}" debug: msg: - oauth2_proxy_active: "{{oauth2_proxy_active}}" domains: "{{domains}}" applications: "{{applications}}" when: enable_debug | bool @@ -23,4 +22,4 @@ - name: "include the docker-oauth2-proxy role {{domain}}" include_role: name: docker-oauth2-proxy - when: oauth2_proxy_active | bool \ No newline at end of file + when: applications[application_id].oauth2_proxy.enabled | default(false) | bool \ No newline at end of file diff --git a/tasks/update-repository-with-files.yml b/tasks/update-repository-with-files.yml index 0131c5e2..3f949f28 100644 --- a/tasks/update-repository-with-files.yml +++ b/tasks/update-repository-with-files.yml @@ -4,7 +4,7 @@ - name: "Merge detached_files with applications.oauth2_proxy.configuration_file" ansible.builtin.set_fact: merged_detached_files: "{{ detached_files + [applications.oauth2_proxy.configuration_file] }}" - when: oauth2_proxy_active + when: applications[application_id].oauth2_proxy.enabled | default(false) | bool - name: "backup detached files" command: >