From b788a7e32bd1db6a7514aee57a8b230a5396b546 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 6 Feb 2025 15:02:18 +0100 Subject: [PATCH] Implemented OIDC for mailu --- group_vars/all/00_general.yml | 8 +- group_vars/all/05_nginx.yml | 4 +- group_vars/all/07_applications.yml | 24 ----- group_vars/all/11_iam.yml | 38 +++++++ group_vars/all/12_storage.yml | 13 +++ playbook.constructor.yml | 9 ++ roles/docker-bigbluebutton/templates/env.j2 | 8 +- .../templates/discourse_application.yml.j2 | 8 +- roles/docker-mailu/README.md | 101 ++++++++++-------- .../templates/docker-compose.yml.j2 | 20 ++-- roles/docker-mailu/templates/env.j2 | 29 ++++- roles/docker-mailu/vars/main.yml | 6 +- roles/docker-nextcloud/tasks/main.yml | 2 +- roles/docker-nextcloud/tasks/oidc_tasks.yml | 2 +- .../templates/oauth2-proxy-keycloak.cfg.j2 | 4 +- roles/nginx/tasks/main.yml | 1 - 16 files changed, 178 insertions(+), 99 deletions(-) create mode 100644 group_vars/all/11_iam.yml create mode 100644 group_vars/all/12_storage.yml diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index 93621a5b..cf8583a7 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -1,7 +1,6 @@ # General pause_duration: "120" # Database delay to wait for the central database before continue tasks -backups_folder_path: "/Backups/" # Path to the backups folder timezone: "UTC" locale: "en" @@ -26,14 +25,8 @@ hours_server_awake: "0..23" ## Random delay for systemd timers to avoid peak loads. randomized_delay_sec: "5min" -# Storage Space-Related Configurations -size_percent_maximum_backup: 75 # Maximum storage space in percent for backups -size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions -size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space - # Runtime Variables for Process Control activate_all_timers: false # Activates all timers, independend if the handlers had been triggered -nginx_matomo_tracking: false # Activates matomo tracking on all html pages # One Wildcard Certificate for All Subdomains # Enables a single Let's Encrypt wildcard certificate for all subdomains instead of individual certificates. @@ -46,4 +39,5 @@ nginx_matomo_tracking: false # Activates matomo tracking on all enable_wildcard_certificate: false # This enables debugging in ansible and in the apps +# You SHOULD NOT enable this on production servers enable_debug: false diff --git a/group_vars/all/05_nginx.yml b/group_vars/all/05_nginx.yml index a479700f..1595d778 100644 --- a/group_vars/all/05_nginx.yml +++ b/group_vars/all/05_nginx.yml @@ -13,4 +13,6 @@ nginx: homepage: "/usr/share/nginx/homepage/" # Path where the static homepage files are stored. @todo Move this variable to the role ## Nginx static repository -nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file. @todo move this variable to the role \ No newline at end of file +nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file. @todo move this variable to the role + +nginx_matomo_tracking: false # Activates matomo tracking on all html pages \ No newline at end of file diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index d41c00fe..fc0567f9 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -1,32 +1,8 @@ # Docker Applications -## Enable Central MariaDB -enable_central_database: true -enable_central_database_mailu: "{{enable_central_database}}" - -## Enable Storage Optimizer for Docker Volumes -enable_system_storage_optimizer: true - ## Docker Role Specific Parameters docker_restart_policy: "unless-stopped" -### Keycloak Client Configuration -oidc_client_active: true # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect -oidc_client_id: "{{primary_domain}}" -oidc_client_realm: "{{primary_domain}}" -oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{oidc_client_realm}}" -oidc_client_discovery_document: "{{oidc_client_issuer_url}}/.well-known/openid-configuration" -oidc_client_authorize_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/auth" -oidc_client_toke_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/token" -oidc_client_user_info_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/userinfo" -oidc_client_logout_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/logout" -# oidc_client_secret: "{{oidc_client_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible - -ldap_network_enabled: false # Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml - -oauth2_proxy_upstream_application_and_port: "application:80" # The name of the application which the server redirects to. Needs to be defined in role vars. -oauth2_proxy_active: false - defaults_applications: ## Akaunting diff --git a/group_vars/all/11_iam.yml b/group_vars/all/11_iam.yml new file mode 100644 index 00000000..d5d61d05 --- /dev/null +++ b/group_vars/all/11_iam.yml @@ -0,0 +1,38 @@ +############################################# +### Identity and Access Management (IAM) ### +############################################# + +############################################# +### OIDC ### +############################################# +# @see https://en.wikipedia.org/wiki/OpenID_Connect + +## Private configuration variables: +_oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}" +_oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}" + +defaults_oidc: + enabled: true + client: + id: "{{primary_domain}}" +# secret: # Define in inventory file + realm: "{{_oidc_client_realm}}" + issuer_url: "{{_oidc_client_issuer_url}}" + discovery_document: "{{_oidc_client_issuer_url}}/.well-known/openid-configuration" + authorize_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth" + toke_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/token" + user_info_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo" + logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout" + +############################################# +### OAuth2-Proxy ### +############################################# +# The name of the application which the server redirects to. Needs to be defined in role vars. +oauth2_proxy_upstream_application_and_port: "application:80" +oauth2_proxy_active: false + +############################################# +### LDAP ### +############################################# +# Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml +ldap_network_enabled: false diff --git a/group_vars/all/12_storage.yml b/group_vars/all/12_storage.yml new file mode 100644 index 00000000..db716545 --- /dev/null +++ b/group_vars/all/12_storage.yml @@ -0,0 +1,13 @@ +## Enable Central Postgress and MariaDB instead of dedicated container per application +enable_central_database: true +enable_central_database_mailu: "{{enable_central_database}}" + +## Enable Storage Optimizer for Docker Volumes +enable_system_storage_optimizer: true + +backups_folder_path: "/Backups/" # Path to the backups folder + +# Storage Space-Related Configurations +size_percent_maximum_backup: 75 # Maximum storage space in percent for backups +size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions +size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space \ No newline at end of file diff --git a/playbook.constructor.yml b/playbook.constructor.yml index 64caef53..2c70a519 100644 --- a/playbook.constructor.yml +++ b/playbook.constructor.yml @@ -22,6 +22,15 @@ - name: Merge networks definitions set_fact: networks: "{{ defaults_networks | combine(networks | default({}, true), recursive=True) }}" + + - name: Merge oidc configuration + set_fact: + oidc: "{{ defaults_oidc | combine(oidc | default({}, true), recursive=True) }}" + + - name: print oidc dict + debug: + var: oidc + when: enable_debug | bool - name: update device hosts: all diff --git a/roles/docker-bigbluebutton/templates/env.j2 b/roles/docker-bigbluebutton/templates/env.j2 index 37264b6f..810dd842 100644 --- a/roles/docker-bigbluebutton/templates/env.j2 +++ b/roles/docker-bigbluebutton/templates/env.j2 @@ -282,12 +282,12 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html # approval - For approve/decline registration DEFAULT_REGISTRATION=invite -{% if oidc_client_active | bool %} +{% if oidc.enabled | bool %} ### EXTERNAL AUTHENTICATION METHODS # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/ # -OPENID_CONNECT_CLIENT_ID={{oidc_client_id}} -OPENID_CONNECT_CLIENT_SECRET={{oidc_client_secret}} -OPENID_CONNECT_ISSUER={{oidc_client_issuer_url}} +OPENID_CONNECT_CLIENT_ID={{oidc.client.id}} +OPENID_CONNECT_CLIENT_SECRET={{oidc.client.secret}} +OPENID_CONNECT_ISSUER={{oidc.client.issuer_url}} OPENID_CONNECT_REDIRECT=https://{{domain}} {% endif %} \ No newline at end of file diff --git a/roles/docker-discourse/templates/discourse_application.yml.j2 b/roles/docker-discourse/templates/discourse_application.yml.j2 index 20d0e8f2..207d01d4 100644 --- a/roles/docker-discourse/templates/discourse_application.yml.j2 +++ b/roles/docker-discourse/templates/discourse_application.yml.j2 @@ -112,16 +112,16 @@ run: ## If you want to set the 'From' email address for your first registration, uncomment and change: ## After getting the first signup email, re-comment the line. It only needs to run once. #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'" -{% if oidc_client_active | bool %} +{% if oidc.enabled | bool %} # Deactivate Default Login - exec: rails r "SiteSetting.enable_local_logins = false" - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589 # OIDC Activation - exec: rails r "SiteSetting.openid_connect_enabled = true" - - exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc_client_discovery_document}}'" - - exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc_client_id}}'" - - exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc_client_secret}}'" + - exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc.client.discovery_document}}'" + - exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc.client.id}}'" + - exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc.client.secret}}'" - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = 'https://{{domain}}'" - exec: rails r "SiteSetting.openid_connect_allow_association_change = false" - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true" diff --git a/roles/docker-mailu/README.md b/roles/docker-mailu/README.md index 3b6b5e93..9ae98ffa 100644 --- a/roles/docker-mailu/README.md +++ b/roles/docker-mailu/README.md @@ -1,8 +1,8 @@ -# Mailu Server Docker Role +# Mailu Server Docker Role ๐Ÿš€ -This guide provides instructions for setting up, operating, and maintaining the Mailu server docker role. +This guide provides instructions for setting up, operating, and maintaining the [Mailu](https://mailu.io/) server Docker role. -## Table of Contents +## Table of Contents ๐Ÿ“– - [Setup](#setup) - [Fetchmail Issues](#fetchmail-issues) @@ -16,24 +16,25 @@ This guide provides instructions for setting up, operating, and maintaining the - [Updates](#updates) - [Queue Management](#queue-management) - [Spam Issues](#spam-issues) +- [OIDC Support](#oidc-support) - [To-Do](#to-do) - [References](#references) -## Setup +## Setup โš™๏ธ -### Fetchmail Issues +### Fetchmail Issues ๐Ÿ“จ Fetchmail might not work properly with large amounts of data. For more information, refer to this [issue](https://github.com/Mailu/Mailu/issues/1719). -#### Deactivating Fetchmail +#### Deactivating Fetchmail โŒ Before uninstalling Fetchmail, ensure you remove all fetched accounts from the administration panel. -#### Fetchmail Security Concerns +#### Fetchmail Security Concerns ๐Ÿ” There are known security concerns with Fetchmail as stated in the [German Wikipedia](https://de.wikipedia.org/wiki/Fetchmail). If you require Fetchmail functions in the future, consider creating a Docker container for [Getmail](https://en.wikipedia.org/wiki/Getmail) as it is considered more secure. -#### Fetchmail Workaround +#### Fetchmail Workaround ๐Ÿ”„ If you need to receive emails from another account, follow these steps: @@ -41,7 +42,7 @@ If you need to receive emails from another account, follow these steps: 2. Export all data from your original account. 3. Import all data to your new account. -### Port Management +### Port Management ๐ŸŒ Check for any port conflicts and manually change the conflicting ports if necessary. Use the following command to verify: @@ -49,7 +50,7 @@ Check for any port conflicts and manually change the conflicting ports if necess netstat -tulpn ``` -### Admin Account Creation +### Admin Account Creation ๐Ÿ‘ค To use Mailu, create the primary administrator user account, `admin@{{hostname}}`, using the command below. Replace `PASSWORD` with your preferred password: @@ -57,11 +58,11 @@ To use Mailu, create the primary administrator user account, `admin@{{hostname}} docker-compose -p mailu exec admin flask mailu admin {{admin}} {{hostname}} PASSWORD ``` -### CLI User Management +### CLI User Management ๐Ÿ› ๏ธ For managing users, follow the instructions in the official [Mailu CLI documentation](https://mailu.io/master/cli.html). -### Starting the Server +### Starting the Server โ–ถ๏ธ To start the server, use the following command: @@ -69,9 +70,9 @@ To start the server, use the following command: docker-compose -p mailu up -d ``` -## Debugging +## Debugging ๐Ÿ•ต๏ธโ€โ™‚๏ธ -### Database Access +### Database Access ๐Ÿ“‚ To access the database, use the following command: @@ -79,7 +80,7 @@ To access the database, use the following command: docker-compose exec -it database mysql -u root -D mailu -p ``` -### Container Access +### Container Access ๐Ÿ–ฅ๏ธ To access the front container, use this command: @@ -87,15 +88,15 @@ To access the front container, use this command: docker-compose exec -it front /bin/bash ``` -### Restarting Services +### Restarting Services ๐Ÿ”„ To restart all services, use the following command: ```bash -docker-compose restart +docker-compose restart ``` -### Resending Queued Mails +### Resending Queued Mails โœ‰๏ธ To resend queued mails, use this command: @@ -103,63 +104,69 @@ To resend queued mails, use this command: docker-compose exec -it smtp postqueue -f ``` -## Testing +## Testing ๐Ÿงช Use the following tools for testing: -- SSL-Tools Mailserver Test (URL: https://de.ssl-tools.net/mailservers/) -- TestEmail.de (URL: http://testemail.de/) +- [SSL-Tools Mailserver Test](https://de.ssl-tools.net/mailservers/) +- [TestEmail.de](http://testemail.de/) -## Updates +## Updates ๐Ÿ”„ For instructions on updating your Mailu setup, follow the official [Mailu maintenance guide](https://mailu.io/master/maintain.html). -## Queue Management +## Queue Management ๐Ÿ“ฌ To manage the Postfix email queue in Mailu, you can use the following commands: -- **Display the email queue**: This command shows all queued emails. +- **Display the email queue**: + ```bash docker compose exec -it smtp postqueue -p ``` -- **Delete all emails in the queue**: To remove all queued emails permanently, use the command: +- **Delete all emails in the queue**: + ```bash docker compose exec -it smtp postsuper -d ALL ``` -These commands can help control the email queue, especially for clearing out emails with delivery issues or delays. +## Spam Issues ๐Ÿšจ -## Spam Issues - -### Inspect +### Inspect ๐Ÿ”Ž Use the following tools to monitor your domain and email deliverability: - [Google Postmaster](https://postmaster.google.com/) - Analyzes deliverability and spam issues for Gmail. - [Yahoo Postmaster](https://postmaster.yahooinc.com) - Provides insights and delivery reports for Yahoo. -### Blacklist Check +### Blacklist Check ๐Ÿšซ If your domain is blacklisted, you can check the status with these services and take steps to remove your domain if necessary: -- [Spamhaus](https://check.spamhaus.org/) - One of the most widely used blacklists for spam. -- [Barracuda](https://www.barracudacentral.org/lookups) - Checks if your IP is on the Barracuda blacklist. +- [Spamhaus](https://check.spamhaus.org/) +- [Barracuda](https://www.barracudacentral.org/lookups) -### Cloudmark Reset Request +### Cloudmark Reset Request ๐Ÿ”„ -If your IP or domain is flagged by Cloudmark, you can submit a **reset request** to help restore deliverability: +If your IP or domain is flagged by Cloudmark, you can submit a **reset request**: - [Cloudmark Reset](https://csi.cloudmark.com/en/reset/) -## To-Do +## OIDC Support ๐Ÿ” -- Implement two-factor authentication in Roundcube Webmail. More information can be found [here](https://blog.kuepper.nrw/2019/03/30/roundcube-webmail-mit-zwei-faktor-authentifizierung/). -- Integrate Nextcloud 15 and newer with Mailu. Learn more about this [here](https://mailu.io/master/faq.html#i-want-to-integrate-nextcloud-15-and-newer-with-mailu). -- User authentication with Nextcloud. Find more information [here](https://docs.nextcloud.com/server/9.0/admin_manual/configuration_user/user_auth_ftp_smb_imap.html). +This role now supports OpenID Connect (OIDC) authentication with [Mailu-OIDC](https://github.com/heviat/Mailu-OIDC)! ๐ŸŽ‰ -## References +To enable OIDC authentication, simply set the following variable: +```yaml +oidc: + enabled: true +``` + +For more details, check out the [Mailu-OIDC repository](https://github.com/heviat/Mailu-OIDC/tree/2024.06). + +## References ๐Ÿ”— - [Mailu compose setup guide](https://mailu.io/1.7/compose/setup.html) - [SysPass issue #1299](https://github.com/nuxsmin/sysPass/issues/1299) - [Mailu issue #1719](https://github.com/Mailu/Mailu/issues/1719) @@ -169,8 +176,18 @@ If your IP or domain is flagged by Cloudmark, you can submit a **reset request** - [Mailu GitHub repository](https://github.com/Mailu/Mailu) - [Plesk support article on RoundCube connection issue](https://support.plesk.com/hc/en-us/articles/115001264814-Unable-to-log-into-RoundCube-Connection-to-storage-server-failed) - [Gist by marienfressinaud](https://gist.github.com/marienfressinaud/f284a59b18aad395eb0de2d22836ae6b) -- [Implementing OpenID with Mailu](https://github.com/heviat/Mailu-OIDC) -For more information about this role, visit the [GitHub repository](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu). +--- -This README.md was optimized with [Chat-GPT](https://chat.openai.com/share/d1ad5ce7-3aa1-4a14-a959-63393b39374a) \ No newline at end of file +For more information about this role, visit the GitHub repositories: +- [Mailu](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu) +- [Mailu-OIDC](https://github.com/heviat/Mailu-OIDC) + +### About this Role โœจ + +This Mailu Docker role was developed by **[Kevin Veen-Birkenbach](https://veen.world)**. + +This `README.md` was optimized with the help of [ChatGPT](https://chat.openai.com)๐Ÿš€ and this conversations: + +- https://chat.openai.com/share/d1ad5ce7-3aa1-4a14-a959-63393b39374a +- https://chatgpt.com/share/67a4bffb-9330-800f-aed5-715c6a8ced2f \ No newline at end of file diff --git a/roles/docker-mailu/templates/docker-compose.yml.j2 b/roles/docker-mailu/templates/docker-compose.yml.j2 index 7a1cd802..3a5f0f3e 100644 --- a/roles/docker-mailu/templates/docker-compose.yml.j2 +++ b/roles/docker-mailu/templates/docker-compose.yml.j2 @@ -6,13 +6,13 @@ services: # Core services resolver: - image: ghcr.io/mailu/unbound:{{applications.mailu.version}} + image: {{docker_source}}/unbound:{{applications.mailu.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} ipv4_address: {{networks.local.mailu.dns}} front: - image: ghcr.io/mailu/nginx:{{applications.mailu.version}} + image: {{docker_source}}/nginx:{{applications.mailu.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} ports: - "127.0.0.1:{{ http_port }}:80" @@ -37,7 +37,7 @@ services: - {{networks.local.mailu.dns}} admin: - image: ghcr.io/mailu/admin:{{applications.mailu.version}} + image: {{docker_source}}/admin:{{applications.mailu.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} volumes: - "admin_data:/data" @@ -52,7 +52,7 @@ services: {% include 'templates/docker/container/networks.yml.j2' %} imap: - image: ghcr.io/mailu/dovecot:{{applications.mailu.version}} + image: {{docker_source}}/dovecot:{{applications.mailu.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} volumes: - "dovecot_mail:/mail" @@ -65,7 +65,7 @@ services: {% include 'templates/docker/container/networks.yml.j2' %} smtp: - image: ghcr.io/mailu/postfix:{{applications.mailu.version}} + image: {{docker_source}}/postfix:{{applications.mailu.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} volumes: - "{{docker_compose.directories.volumes}}overrides:/overrides:ro" @@ -78,7 +78,7 @@ services: {% include 'templates/docker/container/networks.yml.j2' %} oletools: - image: ghcr.io/mailu/oletools:{{applications.mailu.version}} + image: {{docker_source}}/oletools:{{applications.mailu.version}} hostname: oletools restart: {{docker_restart_policy}} depends_on: @@ -89,7 +89,7 @@ services: noinet: antispam: - image: ghcr.io/mailu/rspamd:{{applications.mailu.version}} + image: {{docker_source}}/rspamd:{{applications.mailu.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} volumes: - "filter:/var/lib/rspamd" @@ -119,7 +119,7 @@ services: {% include 'templates/docker/container/networks.yml.j2' %} webdav: - image: ghcr.io/mailu/radicale:{{applications.mailu.version}} + image: {{docker_source}}/radicale:{{applications.mailu.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} volumes: - "webdav_data:/data" @@ -131,7 +131,7 @@ services: radicale: fetchmail: - image: ghcr.io/mailu/fetchmail:{{applications.mailu.version}} + image: {{docker_source}}/fetchmail:{{applications.mailu.version}} volumes: - "admin_data:/data" {% include 'roles/docker-compose/templates/services/base.yml.j2' %} @@ -145,7 +145,7 @@ services: {% include 'templates/docker/container/networks.yml.j2' %} webmail: - image: ghcr.io/mailu/webmail:{{applications.mailu.version}} + image: {{docker_source}}/webmail:{{applications.mailu.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} volumes: - "webmail_data:/data" diff --git a/roles/docker-mailu/templates/env.j2 b/roles/docker-mailu/templates/env.j2 index 4fb32d42..b27e4354 100644 --- a/roles/docker-mailu/templates/env.j2 +++ b/roles/docker-mailu/templates/env.j2 @@ -148,4 +148,31 @@ SQLALCHEMY_DATABASE_URI=mysql+mysqlconnector://{{database_username}}:{{database_ API_TOKEN={{mailu_api_token}} # Activated https://mailu.io/master/configuration.html#advanced-settings -AUTH_REQUIRE_TOKENS=True \ No newline at end of file +AUTH_REQUIRE_TOKENS=True + + +{% if oidc.enabled | bool %} +################################### +# OpenID Connect settings +################################### +# @see https://github.com/heviat/Mailu-OIDC/tree/master + +# Enable OpenID Connect. Possible values: True, False +OIDC_ENABLED={{ oidc.enabled | string | capitalize }} +# OpenID Connect provider configuration URL +OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}} +# OpenID redirect URL if HOSTNAME not matching your login url +OIDC_REDIRECT_URL=https://{{domain}} +# OpenID Connect Client ID for Mailu +OIDC_CLIENT_ID={{oidc.client.id}} +# OpenID Connect Client secret for Mailu +OIDC_CLIENT_SECRET={{oidc.client.secret}} +# Label text for OpenID Connect login button. Default: OpenID Connect +OIDC_BUTTON_NAME=OpenID Connect +# Disable TLS certificate verification for the OIDC client. Possible values: True, False +OIDC_VERIFY_SSL=True +# Enable redirect to OIDC provider for password change. Possible values: True, False +OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True +# Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password +#OIDC_CHANGE_PASSWORD_REDIRECT_URL=https://oidc.example.com/pw-change +{% endif %} \ No newline at end of file diff --git a/roles/docker-mailu/vars/main.yml b/roles/docker-mailu/vars/main.yml index ec57a852..ad2e10e7 100644 --- a/roles/docker-mailu/vars/main.yml +++ b/roles/docker-mailu/vars/main.yml @@ -7,4 +7,8 @@ enable_wildcard_certificate: false # I don't know why this configuration is necessary. # Propabldy due to a database migration problem, or dificulties to configure an external db in mailu # @todo research -enable_central_database: "{{enable_central_database_mailu}}" \ No newline at end of file +enable_central_database: "{{enable_central_database_mailu}}" + +# Use dedicated source for oidc if activated +# @see https://github.com/heviat/Mailu-OIDC/tree/2024.06 +docker_source: "{{ 'ghcr.io/heviat' if oidc.enabled | bool else 'ghcr.io/mailu' }}" \ No newline at end of file diff --git a/roles/docker-nextcloud/tasks/main.yml b/roles/docker-nextcloud/tasks/main.yml index 28bd60a0..54d4e4c7 100644 --- a/roles/docker-nextcloud/tasks/main.yml +++ b/roles/docker-nextcloud/tasks/main.yml @@ -35,4 +35,4 @@ # @todo activate #- name: Include OIDC-specific tasks if OIDC client is active # include_tasks: oidc_tasks.yml -# when: oidc_client_active | bool +# when: oidc.enabled | bool diff --git a/roles/docker-nextcloud/tasks/oidc_tasks.yml b/roles/docker-nextcloud/tasks/oidc_tasks.yml index 1e1cfebe..7c09e14c 100644 --- a/roles/docker-nextcloud/tasks/oidc_tasks.yml +++ b/roles/docker-nextcloud/tasks/oidc_tasks.yml @@ -20,7 +20,7 @@ command: > docker-compose exec -u www-data application /var/www/html/occ config:app:set sociallogin custom_providers - --value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","authorizeUrl":"{{oidc_client_authorize_url}}","tokenUrl":"{{oidc_client_toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc_client_user_info_url}}","logoutUrl":"{{oidc_client_logout_url}}","clientId":"{{oidc_client_id}}","clientSecret":"{{oidc_client_secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}' + --value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}' # This configuration defines custom OpenID Connect (OIDC) providers for authentication. # In this case, it sets up a Keycloak provider with details like URLs for authorization, # token retrieval, user info, and logout, as well as the client ID and secret. diff --git a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 index 6e5ba7da..9c000090 100644 --- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 +++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -7,8 +7,8 @@ cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target. # keycloak provider -client_secret = "{{oidc_client_secret}}" -client_id = "{{oidc_client_id}}" +client_secret = "{{oidc.client.secret}}" +client_id = "{{oidc.client.id}}" redirect_url = "https://{{domain}}/oauth2/callback" oidc_issuer_url = "{{oidc_client_issuer_url}}" provider = "oidc" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 956a2a89..9e82e8b5 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -35,7 +35,6 @@ - name: "include task certbot-matomo.yml" include_tasks: certbot-matomo.yml - when: run_once_nginx is not defined vars: domain: "{{primary_domain}}" when: run_once_nginx is not defined