kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implemented OAuth2-Proxy and other security measures for phpmyadmin

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-01-26 20:57:34 +01:00
parent ec5768f3d4
commit b742ffd476
7 changed files with 45 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/docker-ldap/templates/docker-compose.yml.j2
View File

@@ -24,6 +24,7 @@ services:
LDAP_ADMIN_PASSWORD: {{ldap_administrator_database_password}} # LDAP admin password
{% elif ldap_webinterface == 'phpldapadmin' %}
phpldapadmin:
name: phpldapadmin
image: leenooks/phpldapadmin:{{ldap_phpldapadmin_version}}
logging:
driver: journald
@@ -37,6 +38,7 @@ services:
{% endif %}
openldap:
image: bitnami/openldap:{{ldap_openldap_version}}
name: openldap
logging:
driver: journald
restart: {{docker_restart_policy}}

1
roles/docker-mailu/README.md
View File

@@ -177,6 +177,7 @@ If your IP or domain is flagged by Cloudmark, you can submit a **reset request**
- [Mailu GitHub repository](https://github.com/Mailu/Mailu)
- [Plesk support article on RoundCube connection issue](https://support.plesk.com/hc/en-us/articles/115001264814-Unable-to-log-into-RoundCube-Connection-to-storage-server-failed)
- [Gist by marienfressinaud](https://gist.github.com/marienfressinaud/f284a59b18aad395eb0de2d22836ae6b)
- [Implementing OpenID with Mailu](https://github.com/heviat/Mailu-OIDC)
For more information about this role, visit the [GitHub repository](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu).

30
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@@ -1,15 +1,19 @@
http_address="0.0.0.0:4180"
cookie_secret="{{oauth2_proxy_cookie_secret}}"
email_domains="{{primary_domain}}"
cookie_secure="false"
upstreams="http://{{oauth2_proxy_upstream_application_and_port}}"
cookie_domains=["{{domain}}", "{{domain_keycloak}}"] # Required so cookie can be read on all subdomains.
whitelist_domains=[".{{primary_domain}}"] # Required to allow redirection back to original requested target.
http_address = "0.0.0.0:4180"
cookie_secret = "{{oauth2_proxy_cookie_secret}}"
email_domains = "{{primary_domain}}"
cookie_secure = "false"
upstreams = "http://{{oauth2_proxy_upstream_application_and_port}}"
cookie_domains = ["{{domain}}", "{{domain_keycloak}}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target.
# keycloak provider
client_secret="{{oauth2_proxy_client_secret}}"
client_id="{{domain}}"
redirect_url="https://{{domain}}/oauth2/callback"
oidc_issuer_url="https://{{domain_keycloak}}/realms/{{primary_domain}}"
provider="oidc"
provider_display_name="Keycloak"
client_secret = "{{oauth2_proxy_client_secret}}"
client_id = "{{domain}}"
redirect_url = "https://{{domain}}/oauth2/callback"
oidc_issuer_url = "https://{{domain_keycloak}}/realms/{{primary_domain}}"
provider = "oidc"
provider_display_name = "Keycloak"
# role restrictions
cookie_roles = "realm_access.roles"
allowed_roles = "{{oauth2_proxy_allowed_roles}}"

5
roles/docker-phpmyadmin/templates/docker-compose.yml.j2
View File

@@ -1,4 +1,7 @@
services:
{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
application:
logging:
driver: journald
@@ -6,8 +9,10 @@ services:
container_name: phpmyadmin
environment:
PMA_HOST: central-mariadb
{% if phpmyadmin_autologin | bool %}
PMA_USER: root
PMA_PASSWORD: "{{central_mariadb_root_password}}"
{% endif %}
restart: {{docker_restart_policy}}
ports:
- "127.0.0.1:{{http_port}}:80"

8
roles/docker-phpmyadmin/vars/main.yml
View File

@@ -1,2 +1,8 @@
docker_compose_project_name: "phpmyadmin"
database_type: "mariadb"
database_type: "mariadb"
database_host: "{{ 'central-' + database_type if enable_central_database}}"
# OAuth2 Proxy Configuration
oauth2_proxy_client_secret: "{{phpmyadmin_oauth2_proxy_client_secret}}"
oauth2_proxy_cookie_secret: "{{phpmyadmin_oauth2_proxy_cookie_secret}}"
oauth2_proxy_upstream_application_and_port: "application:80"
oauth2_proxy_active: true