Implemented location dedicated OAuth2 Proxy and solved other bugs

2025-02-22 04:29:38 +01:00 · 2025-02-19 05:53:00 +01:00 · 2025-02-19 05:53:00 +01:00 · 916cb6e314
commit 916cb6e314
parent e4502bbe54
17 changed files with 62 additions and 45 deletions
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -82,7 +82,6 @@ defaults_applications:
    lam:
      version:                        "latest"
      administrator_password:         "{{user_administrator_initial_password}}" # CHANGE for security reasons
-      oauth2_proxy_active:            true
    openldap:
      version:                        "latest"
      network:
@ -94,7 +93,10 @@ defaults_applications:
    webinterface:                     "lam"                                     # The webinterface which should be used. Possible: lam and phpldapadmin
    administrator_username:           "{{administrator_username}}"
    ldap_enabled:                     True                                      # Should have the same value as applications.ldap.openldap.network.local.
-                                                                                # Both need to be set to True to load the ldap_network in the docker compose file
+    oauth2_proxy:
+      enabled:                        true                                      # Activate the OAuth2 Proxy for the LDAP Webinterface
+      application:                    lam                                       # Needs to be the same as webinterface
+      port:                           80                                        # If you use phpldapadmin set it to 8080
    # administrator_password:                                                   # CHANGE for security reasons in inventory file
    # administrator_database_password:                                          # CHANGE for security reasons in inventory file

@ -112,6 +114,8 @@ defaults_applications:
  ## Matomo
  matomo:
    version:                          "latest"
+    oauth2_proxy:
+      enabled:                        false                                     # Deactivated atm. @todo implement 

  ## Mastodon
  mastodon:
@ -164,7 +168,10 @@ defaults_applications:
  ## Open Project
  openproject:
    version:              "13"    # Update when available. Sadly no rolling release implemented
-    oauth2_proxy_active:  true
+    oauth2_proxy:  
+      enabled:            true    # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
+      application:        "proxy"
+      port:               "80"
    ldap_enabled:         True    # Enables LDAP by default 

  ## Peertube
@ -175,7 +182,10 @@ defaults_applications:
  phpmyadmin:
    version:              "latest"
    autologin:            false     # This is a high security risk. Just activate this option if you know what you're doing
-    oauth2_proxy_active:  true
+    oauth2_proxy:  
+      enabled:            true
+      port:               "80"
+      application:        "application"

  ## Pixelfed
  pixelfed:
@ -199,3 +209,8 @@ defaults_applications:
  yourls:
    administrator_username:  "{{administrator_username}}"
    version:                 "latest"
+    oauth2_proxy:  
+      enabled:                true
+      application:            "application"
+      port:                   "80"
+      location:               "/admin/"                       # Protects the admin arear
--- a/group_vars/all/09_ports.yml
+++ b/group_vars/all/09_ports.yml
@ -7,6 +7,7 @@ ports:
      phpmyadmin:     4181
      ldap:           4182
      openproject:    4183
+      yourls:         4184
    ldap:
      openldap:       389
    http:
--- a/group_vars/all/10_networks.yml
+++ b/group_vars/all/10_networks.yml
@ -50,8 +50,9 @@ defaults_networks:
      subnet: 192.168.102.48/28
    nextcloud:
      subnet: 192.168.102.64/28
-    oauth2_proxy:
-      subnet: 192.168.102.80/28
+    # This network should be free. Use it for another application ->
+    #oauth2_proxy:
+    #  subnet: 192.168.102.80/28
    peertube:
      subnet: 192.168.102.96/28
    phpmyadmin:
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@ -7,7 +7,7 @@
 #############################################
 # @see https://en.wikipedia.org/wiki/OpenID_Connect

-## Private configuration variables:
+## Helper Variables:
 _oidc_client_realm:       "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
 _oidc_client_issuer_url:  "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"

@ -25,18 +25,11 @@ defaults_oidc:
    logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"      # Endpoint to log out the user
    change_credentials:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"  # URL for managing or changing user credentials

-#############################################
-### OAuth2-Proxy                          ###
-#############################################
-# The name of the application which the server redirects to. Needs to be defined in role vars.
-oauth2_proxy_upstream_application_and_port:  "application:80"
-oauth2_proxy_active:                         false   
-
 #############################################
 ### LDAP                                  ###
 #############################################

-# Helper variables
+# Helper Variables:
 _ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"

 ldap:
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@ -836,7 +836,7 @@
      "redirectUris": [
        {%- set redirect_uris = [] -%}
        {%- for application, domain in defaults_domains.items() -%}
-          {%- if applications[application] is defined and applications[application].oauth2_proxy_active is defined and applications[application].oauth2_proxy_active -%}
+          {%- if applications[application_id] is defined and applications[application_id].oauth2_proxy.enabled | default(false) | bool -%}
            {%- if domain is string -%}
              {%- set _ = redirect_uris.append("https://" ~ domain ~ "/*") -%}
            {%- else -%}
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@ -2,10 +2,6 @@ application_id:       "ldap"
 ldaps_docker_port:    636
 ldap_docker_port:     389

-# OAuth2 Proxy Configuration
-oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
-oauth2_proxy_active:                        "{{ applications.ldap.lam.oauth2_proxy_active | bool }}"
-
 enable_wildcard_certificate:  false # Activate dedicated Certificate

 # Configuration for ldif import
--- a/roles/docker-matomo/tasks/main.yml
+++ b/roles/docker-matomo/tasks/main.yml
@ -23,8 +23,6 @@
 - name: "include role nginx-domain-setup for {{application_id}}"
  include_role: 
    name: nginx-domain-setup
-  vars:
-    oauth2_proxy_active: false # Deactivate prox, in case it got activated by another app
  when: run_once_docker_matomo is not defined

 - name: "copy docker-compose.yml and env file"
--- a/roles/docker-matrix-compose/tasks/create-and-seed-database.yml
+++ b/roles/docker-matrix-compose/tasks/create-and-seed-database.yml
@ -10,4 +10,4 @@
  when: enable_central_database | bool

 - name: "include seed-database-to-backup.yml"
-  include_tasks: ""{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"
+  include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"
--- a/roles/docker-oauth2-proxy/templates/container.yml.j2
+++ b/roles/docker-oauth2-proxy/templates/container.yml.j2
@ -1,3 +1,4 @@
+{% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %}
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:{{applications.oauth2_proxy.version}}
    restart: {{docker_restart_policy}}
@ -7,3 +8,4 @@
      - {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp
    volumes:
      - "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"
+{% endif %}
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@ -2,7 +2,7 @@ http_address            =   "0.0.0.0:4180"
 cookie_secret           =   "{{applications.oauth2_proxy.cookie_secret}}"
 email_domains           =   "{{primary_domain}}"
 cookie_secure           =   "false"
-upstreams               =   "http://{{oauth2_proxy_upstream_application_and_port}}"
+upstreams               =   "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}"
 cookie_domains          =   ["{{domain}}", "{{domains.keycloak}}"]                  # Required so cookie can be read on all subdomains.
 whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.

--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@ -10,7 +10,3 @@ custom_openproject_image:                     "custom_openproject"

 # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
 dummy_volume:                                 "{{docker_compose.directories.volumes}}dummy_volume"
-
-# OAuth2 Proxy Configuration
-oauth2_proxy_upstream_application_and_port:   "proxy:80"
-oauth2_proxy_active:                          "{{ applications.openproject.oauth2_proxy_active | bool }}"
--- a/roles/docker-phpmyadmin/vars/main.yml
+++ b/roles/docker-phpmyadmin/vars/main.yml
@ -1,4 +1,3 @@
 application_id:       "phpmyadmin"
 database_type:        "mariadb"
 database_host:        "{{ 'central-' + database_type if enable_central_database}}"
-oauth2_proxy_active:  "{{ applications.phpmyadmin.oauth2_proxy_active | bool }}"
--- a/roles/docker-yourls/templates/docker-compose.yml.j2
+++ b/roles/docker-yourls/templates/docker-compose.yml.j2
@ -2,6 +2,8 @@ services:

 {% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %}

+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
  application:
    image: yourls:{{applications.yourls.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
--- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
@ -2,19 +2,34 @@ server
 {
  server_name {{domain}};

-  {% if oauth2_proxy_active | bool %}
+  {% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %}
    {% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%}
  {% endif %}

  {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
  
  {% if nginx_docker_reverse_proxy_extra_configuration is defined %}
-    # Additional Domain Specific Configuration
+    {# Additional Domain Specific Configuration #}
    {{nginx_docker_reverse_proxy_extra_configuration}}
  {% endif %}

  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}

+  {% if applications[application_id].oauth2_proxy.enabled | default(false) %}
+    {% if applications[application_id].oauth2_proxy.location is defined %}
+      {# Exposed and Unprotected Location #}
      {% include 'proxy_pass.conf.j2' %}
-
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = applications[application_id].oauth2_proxy.location %}
+      {# Gated Location by OAuth2 Proxy #}
+      {% include 'proxy_pass.conf.j2' %}
+    {% else %}
+      {% set oauth2_proxy_enabled = true %}
+      {# Protected Domain by OAuth2 Proxy #}
+      {% include 'proxy_pass.conf.j2'%}
+    {% endif %}
+  {% else %}
+    {# Exposed Domain - Not protected by OAuth2 Proxy #}
+    {% include 'proxy_pass.conf.j2' %}
+  {% endif %}
 }
--- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
@ -1,6 +1,6 @@
-location /
+location {{location | default("/")}}
 {
-  {% if oauth2_proxy_active | bool %}
+  {% if oauth2_proxy_enabled | default(false) | bool %}
    {% include 'roles/docker-oauth2-proxy/templates/following_directives.conf.j2'%}
  {% endif %}

--- a/roles/nginx-domain-setup/tasks/main.yml
+++ b/roles/nginx-domain-setup/tasks/main.yml
@ -9,7 +9,6 @@
 - name: "Relevant variables for role: {{ role_path | basename }}"
  debug:
    msg:
-      oauth2_proxy_active:  "{{oauth2_proxy_active}}"
      domains:              "{{domains}}"
      applications:         "{{applications}}"
  when: enable_debug | bool
@ -23,4 +22,4 @@
 - name: "include the docker-oauth2-proxy role {{domain}}"
  include_role:
    name: docker-oauth2-proxy
-  when: oauth2_proxy_active | bool
+  when: applications[application_id].oauth2_proxy.enabled | default(false) | bool
--- a/tasks/update-repository-with-files.yml
+++ b/tasks/update-repository-with-files.yml
@ -4,7 +4,7 @@
 - name: "Merge detached_files with applications.oauth2_proxy.configuration_file"
  ansible.builtin.set_fact:
    merged_detached_files: "{{ detached_files + [applications.oauth2_proxy.configuration_file] }}"
-  when: oauth2_proxy_active
+  when: applications[application_id].oauth2_proxy.enabled | default(false) | bool

 - name: "backup detached files"
  command: >