kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 04:29:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implemented location dedicated OAuth2 Proxy and solved other bugs

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-02-19 05:53:00 +01:00
parent e4502bbe54
commit 916cb6e314
17 changed files with 62 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
group_vars/all/07_applications.yml
View File

@ -82,7 +82,6 @@ defaults_applications:
lam:
version: "latest"
administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
oauth2_proxy_active: true
openldap:
version: "latest"
network:
@ -94,7 +93,10 @@ defaults_applications:
webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
administrator_username: "{{administrator_username}}"
ldap_enabled: True # Should have the same value as applications.ldap.openldap.network.local.
# Both need to be set to True to load the ldap_network in the docker compose file
oauth2_proxy:
enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface
application: lam # Needs to be the same as webinterface
port: 80 # If you use phpldapadmin set it to 8080
# administrator_password: # CHANGE for security reasons in inventory file
# administrator_database_password: # CHANGE for security reasons in inventory file
@ -112,6 +114,8 @@ defaults_applications:
## Matomo
matomo:
version: "latest"
oauth2_proxy:
enabled: false # Deactivated atm. @todo implement
## Mastodon
mastodon:
@ -163,9 +167,12 @@ defaults_applications:
## Open Project
openproject:
version: "13" # Update when available. Sadly no rolling release implemented
oauth2_proxy_active: true
ldap_enabled: True # Enables LDAP by default
version: "13" # Update when available. Sadly no rolling release implemented
oauth2_proxy:
enabled: true # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
application: "proxy"
port: "80"
ldap_enabled: True # Enables LDAP by default
## Peertube
peertube:
@ -175,7 +182,10 @@ defaults_applications:
phpmyadmin:
version: "latest"
autologin: false # This is a high security risk. Just activate this option if you know what you're doing
oauth2_proxy_active: true
oauth2_proxy:
enabled: true
port: "80"
application: "application"
## Pixelfed
pixelfed:
@ -198,4 +208,9 @@ defaults_applications:
## YOURLS
yourls:
administrator_username: "{{administrator_username}}"
version: "latest"
version: "latest"
oauth2_proxy:
enabled: true
application: "application"
port: "80"
location: "/admin/" # Protects the admin arear

3
group_vars/all/09_ports.yml
View File

@ -7,6 +7,7 @@ ports:
phpmyadmin: 4181
ldap: 4182
openproject: 4183
yourls: 4184
ldap:
openldap: 389
http:
@ -25,7 +26,7 @@ ports:
roulette-wheel: 8013
joomla: 8014
attendize: 8015
#matrix: 8016 Not used anymore
#matrix: 8016 Not used anymore
baserow: 8017
matomo: 8018
listmonk: 8019

5
group_vars/all/10_networks.yml
View File

@ -50,8 +50,9 @@ defaults_networks:
subnet: 192.168.102.48/28
nextcloud:
subnet: 192.168.102.64/28
oauth2_proxy:
subnet: 192.168.102.80/28
# This network should be free. Use it for another application ->
#oauth2_proxy:
# subnet: 192.168.102.80/28
peertube:
subnet: 192.168.102.96/28
phpmyadmin:

11
group_vars/all/11_iam.yml
View File

@ -7,7 +7,7 @@
#############################################
# @see https://en.wikipedia.org/wiki/OpenID_Connect
## Private configuration variables:
## Helper Variables:
_oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
_oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"
@ -25,18 +25,11 @@ defaults_oidc:
logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout" # Endpoint to log out the user
change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in" # URL for managing or changing user credentials
#############################################
### OAuth2-Proxy ###
#############################################
# The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_upstream_application_and_port: "application:80"
oauth2_proxy_active: false
#############################################
### LDAP ###
#############################################
# Helper variables
# Helper Variables:
_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
ldap:

2
roles/docker-keycloak/templates/import/realm.json.j2
View File

@ -836,7 +836,7 @@
"redirectUris": [
{%- set redirect_uris = [] -%}
{%- for application, domain in defaults_domains.items() -%}
{%- if applications[application] is defined and applications[application].oauth2_proxy_active is defined and applications[application].oauth2_proxy_active -%}
{%- if applications[application_id] is defined and applications[application_id].oauth2_proxy.enabled | default(false) | bool -%}
{%- if domain is string -%}
{%- set _ = redirect_uris.append("https://" ~ domain ~ "/*") -%}
{%- else -%}

4
roles/docker-ldap/vars/main.yml
View File

@ -2,10 +2,6 @@ application_id: "ldap"
ldaps_docker_port: 636
ldap_docker_port: 389
# OAuth2 Proxy Configuration
oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
oauth2_proxy_active: "{{ applications.ldap.lam.oauth2_proxy_active | bool }}"
enable_wildcard_certificate: false # Activate dedicated Certificate
# Configuration for ldif import

2
roles/docker-matomo/tasks/main.yml
View File

@ -23,8 +23,6 @@
- name: "include role nginx-domain-setup for {{application_id}}"
include_role:
name: nginx-domain-setup
vars:
oauth2_proxy_active: false # Deactivate prox, in case it got activated by another app
when: run_once_docker_matomo is not defined
- name: "copy docker-compose.yml and env file"

2
roles/docker-matrix-compose/tasks/create-and-seed-database.yml
View File

@ -10,4 +10,4 @@
when: enable_central_database | bool
- name: "include seed-database-to-backup.yml"
include_tasks: ""{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"
include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"

4
roles/docker-oauth2-proxy/templates/container.yml.j2
View File

@ -1,3 +1,4 @@
{% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %}
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:{{applications.oauth2_proxy.version}}
restart: {{docker_restart_policy}}
@ -6,4 +7,5 @@
ports:
- {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp
volumes:
- "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"
- "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"
{% endif %}

2
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -2,7 +2,7 @@ http_address = "0.0.0.0:4180"
cookie_secret = "{{applications.oauth2_proxy.cookie_secret}}"
email_domains = "{{primary_domain}}"
cookie_secure = "false"
upstreams = "http://{{oauth2_proxy_upstream_application_and_port}}"
upstreams = "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}"
cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target.

6
roles/docker-openproject/vars/main.yml
View File

@ -9,8 +9,4 @@ custom_openproject_image: "custom_openproject"
# The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
dummy_volume: "{{docker_compose.directories.volumes}}dummy_volume"
# OAuth2 Proxy Configuration
oauth2_proxy_upstream_application_and_port: "proxy:80"
oauth2_proxy_active: "{{ applications.openproject.oauth2_proxy_active | bool }}"
dummy_volume: "{{docker_compose.directories.volumes}}dummy_volume"

3
roles/docker-phpmyadmin/vars/main.yml
View File

@ -1,4 +1,3 @@
application_id: "phpmyadmin"
database_type: "mariadb"
database_host: "{{ 'central-' + database_type if enable_central_database}}"
oauth2_proxy_active: "{{ applications.phpmyadmin.oauth2_proxy_active | bool }}"
database_host: "{{ 'central-' + database_type if enable_central_database}}"

2
roles/docker-yourls/templates/docker-compose.yml.j2
View File

@ -2,6 +2,8 @@ services:
{% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %}
{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
application:
image: yourls:{{applications.yourls.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}

23
roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
View File

@ -2,19 +2,34 @@ server
{
server_name {{domain}};
{% if oauth2_proxy_active | bool %}
{% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %}
{% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%}
{% endif %}
{% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
{% if nginx_docker_reverse_proxy_extra_configuration is defined %}
# Additional Domain Specific Configuration
{# Additional Domain Specific Configuration #}
{{nginx_docker_reverse_proxy_extra_configuration}}
{% endif %}
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'proxy_pass.conf.j2' %}
{% if applications[application_id].oauth2_proxy.enabled | default(false) %}
{% if applications[application_id].oauth2_proxy.location is defined %}
{# Exposed and Unprotected Location #}
{% include 'proxy_pass.conf.j2' %}
{% set oauth2_proxy_enabled = true %}
{% set location = applications[application_id].oauth2_proxy.location %}
{# Gated Location by OAuth2 Proxy #}
{% include 'proxy_pass.conf.j2' %}
{% else %}
{% set oauth2_proxy_enabled = true %}
{# Protected Domain by OAuth2 Proxy #}
{% include 'proxy_pass.conf.j2'%}
{% endif %}
{% else %}
{# Exposed Domain - Not protected by OAuth2 Proxy #}
{% include 'proxy_pass.conf.j2' %}
{% endif %}
}

4
roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
View File

@ -1,6 +1,6 @@
location /
location {{location | default("/")}}
{
{% if oauth2_proxy_active | bool %}
{% if oauth2_proxy_enabled | default(false) | bool %}
{% include 'roles/docker-oauth2-proxy/templates/following_directives.conf.j2'%}
{% endif %}

3
roles/nginx-domain-setup/tasks/main.yml
View File

@ -9,7 +9,6 @@
- name: "Relevant variables for role: {{ role_path | basename }}"
debug:
msg:
oauth2_proxy_active: "{{oauth2_proxy_active}}"
domains: "{{domains}}"
applications: "{{applications}}"
when: enable_debug | bool
@ -23,4 +22,4 @@
- name: "include the docker-oauth2-proxy role {{domain}}"
include_role:
name: docker-oauth2-proxy
when: oauth2_proxy_active | bool
when: applications[application_id].oauth2_proxy.enabled | default(false) | bool

2
tasks/update-repository-with-files.yml
View File

@ -4,7 +4,7 @@
- name: "Merge detached_files with applications.oauth2_proxy.configuration_file"
ansible.builtin.set_fact:
merged_detached_files: "{{ detached_files + [applications.oauth2_proxy.configuration_file] }}"
when: oauth2_proxy_active
when: applications[application_id].oauth2_proxy.enabled | default(false) | bool
- name: "backup detached files"
command: >