Implemented location dedicated OAuth2 Proxy and solved other bugs

2025-08-29 15:06:26 +02:00 · 2025-02-19 05:53:00 +01:00
parent e4502bbe54
commit 916cb6e314
17 changed files with 62 additions and 45 deletions
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@@ -836,7 +836,7 @@
      "redirectUris": [
        {%- set redirect_uris = [] -%}
        {%- for application, domain in defaults_domains.items() -%}
-          {%- if applications[application] is defined and applications[application].oauth2_proxy_active is defined and applications[application].oauth2_proxy_active -%}
+          {%- if applications[application_id] is defined and applications[application_id].oauth2_proxy.enabled | default(false) | bool -%}
            {%- if domain is string -%}
              {%- set _ = redirect_uris.append("https://" ~ domain ~ "/*") -%}
            {%- else -%}
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@@ -2,10 +2,6 @@ application_id:       "ldap"
 ldaps_docker_port:    636
 ldap_docker_port:     389

-# OAuth2 Proxy Configuration
-oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
-oauth2_proxy_active:                        "{{ applications.ldap.lam.oauth2_proxy_active | bool }}"
-
 enable_wildcard_certificate:  false # Activate dedicated Certificate

 # Configuration for ldif import
--- a/roles/docker-matomo/tasks/main.yml
+++ b/roles/docker-matomo/tasks/main.yml
@@ -23,8 +23,6 @@
 - name: "include role nginx-domain-setup for {{application_id}}"
  include_role: 
    name: nginx-domain-setup
-  vars:
-    oauth2_proxy_active: false # Deactivate prox, in case it got activated by another app
  when: run_once_docker_matomo is not defined

 - name: "copy docker-compose.yml and env file"
--- a/roles/docker-matrix-compose/tasks/create-and-seed-database.yml
+++ b/roles/docker-matrix-compose/tasks/create-and-seed-database.yml
@@ -10,4 +10,4 @@
  when: enable_central_database | bool

 - name: "include seed-database-to-backup.yml"
-  include_tasks: ""{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"
+  include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"
--- a/roles/docker-oauth2-proxy/templates/container.yml.j2
+++ b/roles/docker-oauth2-proxy/templates/container.yml.j2
@@ -1,3 +1,4 @@
+{% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %}
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:{{applications.oauth2_proxy.version}}
    restart: {{docker_restart_policy}}
@@ -6,4 +7,5 @@
    ports:
      - {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp
    volumes:
-      - "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"
+      - "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"
+{% endif %}
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@@ -2,7 +2,7 @@ http_address            =   "0.0.0.0:4180"
 cookie_secret           =   "{{applications.oauth2_proxy.cookie_secret}}"
 email_domains           =   "{{primary_domain}}"
 cookie_secure           =   "false"
-upstreams               =   "http://{{oauth2_proxy_upstream_application_and_port}}"
+upstreams               =   "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}"
 cookie_domains          =   ["{{domain}}", "{{domains.keycloak}}"]                  # Required so cookie can be read on all subdomains.
 whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.

--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@@ -9,8 +9,4 @@ custom_openproject_image:                     "custom_openproject"


 # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
-dummy_volume:                                 "{{docker_compose.directories.volumes}}dummy_volume"
-
-# OAuth2 Proxy Configuration
-oauth2_proxy_upstream_application_and_port:   "proxy:80"
-oauth2_proxy_active:                          "{{ applications.openproject.oauth2_proxy_active | bool }}"
+dummy_volume:                                 "{{docker_compose.directories.volumes}}dummy_volume"
--- a/roles/docker-phpmyadmin/vars/main.yml
+++ b/roles/docker-phpmyadmin/vars/main.yml
@@ -1,4 +1,3 @@
 application_id:       "phpmyadmin"
 database_type:        "mariadb"
-database_host:        "{{ 'central-' + database_type if enable_central_database}}"
-oauth2_proxy_active:  "{{ applications.phpmyadmin.oauth2_proxy_active | bool }}"
+database_host:        "{{ 'central-' + database_type if enable_central_database}}"
--- a/roles/docker-yourls/templates/docker-compose.yml.j2
+++ b/roles/docker-yourls/templates/docker-compose.yml.j2
@@ -2,6 +2,8 @@ services:

 {% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %}

+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
  application:
    image: yourls:{{applications.yourls.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
--- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
@@ -2,19 +2,34 @@ server
 {
  server_name {{domain}};

-  {% if oauth2_proxy_active | bool %}
+  {% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %}
    {% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%}
  {% endif %}

  {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
  
  {% if nginx_docker_reverse_proxy_extra_configuration is defined %}
-    # Additional Domain Specific Configuration
+    {# Additional Domain Specific Configuration #}
    {{nginx_docker_reverse_proxy_extra_configuration}}
  {% endif %}

  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}

-  {% include 'proxy_pass.conf.j2' %}
-
+  {% if applications[application_id].oauth2_proxy.enabled | default(false) %}
+    {% if applications[application_id].oauth2_proxy.location is defined %}
+      {# Exposed and Unprotected Location #}
+      {% include 'proxy_pass.conf.j2' %}
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = applications[application_id].oauth2_proxy.location %}
+      {# Gated Location by OAuth2 Proxy #}
+      {% include 'proxy_pass.conf.j2' %}
+    {% else %}
+      {% set oauth2_proxy_enabled = true %}
+      {# Protected Domain by OAuth2 Proxy #}
+      {% include 'proxy_pass.conf.j2'%}
+    {% endif %}
+  {% else %}
+    {# Exposed Domain - Not protected by OAuth2 Proxy #}
+    {% include 'proxy_pass.conf.j2' %}
+  {% endif %}
 }
--- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
@@ -1,6 +1,6 @@
-location /
+location {{location | default("/")}}
 {
-  {% if oauth2_proxy_active | bool %}
+  {% if oauth2_proxy_enabled | default(false) | bool %}
    {% include 'roles/docker-oauth2-proxy/templates/following_directives.conf.j2'%}
  {% endif %}

--- a/roles/nginx-domain-setup/tasks/main.yml
+++ b/roles/nginx-domain-setup/tasks/main.yml
@@ -9,7 +9,6 @@
 - name: "Relevant variables for role: {{ role_path | basename }}"
  debug:
    msg:
-      oauth2_proxy_active:  "{{oauth2_proxy_active}}"
      domains:              "{{domains}}"
      applications:         "{{applications}}"
  when: enable_debug | bool
@@ -23,4 +22,4 @@
 - name: "include the docker-oauth2-proxy role {{domain}}"
  include_role:
    name: docker-oauth2-proxy
-  when: oauth2_proxy_active | bool
+  when: applications[application_id].oauth2_proxy.enabled | default(false) | bool