Implemented OAuth2-Proxy and other security measures for phpmyadmin

group_vars/all

@@ -297,21 +297,26 @@ nextcloud_version:          "production"  # @see https://nextcloud.com/blog/next
 
 #### OAuth2 Proxy
 oauth2_configuration_file:            "oauth2-proxy-keycloak.cfg"
-oauth2_proxy_active:                  false       # Needs to be set true in the roles which use it
+oauth2_proxy_active:                  false   # Needs to be set true in the roles which use it
 oauth2_version:                       "latest"
 oauth2_proxy_redirect_url:            "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
-# oauth2_proxy_port:                  >= 4180     # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
+# oauth2_proxy_port:                  >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
-# oauth2_proxy_upstream_application_and_port:  # The name of the application which the server redirects to. Needs to be defined in role vars.
+# oauth2_proxy_upstream_application_and_port: # The name of the application which the server redirects to. Needs to be defined in role vars.
+oauth2_proxy_allowed_roles:           admin   # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
 
 #### Open Project
 # openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
-# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application.
+# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application: 0dc07dc3b323921acbd96656f33dc55a
+
 
 #### Peertube
-peertube_version:           "bookworm"
+peertube_version:                         "bookworm"
 
 #### PHPMyAdmin
-phpmyadmin_version:         "latest"
+phpmyadmin_version:                       "latest"
+phpmyadmin_autologin:                     false     # This is a high security risk. Just activate this option if you know what you're doing
+# phpmyadmin_oauth2_proxy_client_secret:    Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
+# phpmyadmin_oauth2_proxy_cookie_secret:    Needs to be defined in inventory # The client secret configured in Keycloak for the application.
 
 #### Pixelfed
 pixelfed_app_name:          "Pictures on {{primary_domain}}"

playbook.servers.yml

@@ -323,7 +323,8 @@
    -  role: docker-phpmyadmin
       vars:
         domain: "{{domain_phpmyadmin}}"
-        http_port: 8034
+        http_port:          8034
+        oauth2_proxy_port:  4181
 
 # Native Webserver Roles
 - name: setup nginx-static-repositorys

roles/docker-ldap/templates/docker-compose.yml.j2

@@ -24,6 +24,7 @@ services:
       LDAP_ADMIN_PASSWORD: {{ldap_administrator_database_password}}  # LDAP admin password
 {% elif ldap_webinterface == 'phpldapadmin' %}
   phpldapadmin:
+    name: phpldapadmin
     image: leenooks/phpldapadmin:{{ldap_phpldapadmin_version}}
     logging:
       driver: journald
@@ -37,6 +38,7 @@ services:
 {% endif %}
   openldap:
     image: bitnami/openldap:{{ldap_openldap_version}}
+    name: openldap
     logging:
       driver: journald
     restart: {{docker_restart_policy}}

roles/docker-mailu/README.md

@@ -177,6 +177,7 @@ If your IP or domain is flagged by Cloudmark, you can submit a **reset request**
 - [Mailu GitHub repository](https://github.com/Mailu/Mailu)
 - [Plesk support article on RoundCube connection issue](https://support.plesk.com/hc/en-us/articles/115001264814-Unable-to-log-into-RoundCube-Connection-to-storage-server-failed)
 - [Gist by marienfressinaud](https://gist.github.com/marienfressinaud/f284a59b18aad395eb0de2d22836ae6b)
+- [Implementing OpenID with Mailu](https://github.com/heviat/Mailu-OIDC)
 
 For more information about this role, visit the [GitHub repository](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu).
 

roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

@@ -1,15 +1,19 @@
-http_address="0.0.0.0:4180"
+http_address            =   "0.0.0.0:4180"
-cookie_secret="{{oauth2_proxy_cookie_secret}}"
+cookie_secret           =   "{{oauth2_proxy_cookie_secret}}"
-email_domains="{{primary_domain}}"
+email_domains           =   "{{primary_domain}}"
-cookie_secure="false"
+cookie_secure           =   "false"
-upstreams="http://{{oauth2_proxy_upstream_application_and_port}}"
+upstreams               =   "http://{{oauth2_proxy_upstream_application_and_port}}"
-cookie_domains=["{{domain}}", "{{domain_keycloak}}"]                # Required so cookie can be read on all subdomains.
+cookie_domains          =   ["{{domain}}", "{{domain_keycloak}}"]                   # Required so cookie can be read on all subdomains.
-whitelist_domains=[".{{primary_domain}}"]                           # Required to allow redirection back to original requested target.
+whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.
 
 # keycloak provider
-client_secret="{{oauth2_proxy_client_secret}}"
+client_secret           =   "{{oauth2_proxy_client_secret}}"
-client_id="{{domain}}"
+client_id               =   "{{domain}}"
-redirect_url="https://{{domain}}/oauth2/callback"
+redirect_url            =   "https://{{domain}}/oauth2/callback"
-oidc_issuer_url="https://{{domain_keycloak}}/realms/{{primary_domain}}"
+oidc_issuer_url         =   "https://{{domain_keycloak}}/realms/{{primary_domain}}"
-provider="oidc"
+provider                =   "oidc"
-provider_display_name="Keycloak"
+provider_display_name   =   "Keycloak"
+
+# role restrictions
+cookie_roles            =   "realm_access.roles"
+allowed_roles           =   "{{oauth2_proxy_allowed_roles}}"

roles/docker-phpmyadmin/templates/docker-compose.yml.j2

@@ -1,4 +1,7 @@
 services:
+
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
   application:
     logging:
       driver: journald
@@ -6,8 +9,10 @@ services:
     container_name: phpmyadmin
     environment:
       PMA_HOST: central-mariadb
+{% if phpmyadmin_autologin | bool %}
       PMA_USER: root
       PMA_PASSWORD: "{{central_mariadb_root_password}}"
+{% endif %}
     restart: {{docker_restart_policy}}
     ports:
       - "127.0.0.1:{{http_port}}:80"

roles/docker-phpmyadmin/vars/main.yml

@@ -1,2 +1,8 @@
 docker_compose_project_name:  "phpmyadmin"
-database_type:                "mariadb"
+database_type:                "mariadb"
+database_host:                "{{ 'central-' + database_type if enable_central_database}}"
+# OAuth2 Proxy Configuration
+oauth2_proxy_client_secret:                   "{{phpmyadmin_oauth2_proxy_client_secret}}"
+oauth2_proxy_cookie_secret:                   "{{phpmyadmin_oauth2_proxy_cookie_secret}}"
+oauth2_proxy_upstream_application_and_port:   "application:80"
+oauth2_proxy_active:                          true