Implemented OIDC for mailu

2025-08-29 15:06:26 +02:00 · 2025-02-06 15:02:18 +01:00
parent ea30612de9
commit b788a7e32b
16 changed files with 178 additions and 99 deletions
--- a/group_vars/all/00_general.yml
+++ b/group_vars/all/00_general.yml
@@ -1,7 +1,6 @@
 # General
 pause_duration:         "120"         # Database delay to wait for the central database before continue tasks

-backups_folder_path:    "/Backups/"   # Path to the backups folder
 timezone:               "UTC"
 locale:                 "en"

@@ -26,14 +25,8 @@ hours_server_awake:               "0..23"
 ## Random delay for systemd timers to avoid peak loads.
 randomized_delay_sec:             "5min" 

-# Storage Space-Related Configurations          
-size_percent_maximum_backup:      75  # Maximum storage space in percent for backups
-size_percent_cleanup_disc_space:  85  # Threshold for triggering cleanup actions
-size_percent_disc_space_warning:  90  # Warning threshold in percent for free disk space
-
 # Runtime Variables for Process Control
 activate_all_timers:                  false   # Activates all timers, independend if the handlers had been triggered
-nginx_matomo_tracking:                false   # Activates matomo tracking on all html pages

 # One Wildcard Certificate for All Subdomains
 # Enables a single Let's Encrypt wildcard certificate for all subdomains instead of individual certificates.
@@ -46,4 +39,5 @@ nginx_matomo_tracking:                false   # Activates matomo tracking on all
 enable_wildcard_certificate:          false  

 # This enables debugging in ansible and in the apps
+# You SHOULD NOT enable this on production servers
 enable_debug:   false
--- a/group_vars/all/05_nginx.yml
+++ b/group_vars/all/05_nginx.yml
@@ -13,4 +13,6 @@ nginx:
    homepage:       "/usr/share/nginx/homepage/"      # Path where the static homepage files are stored. @todo Move this variable to the role

 ## Nginx static repository
-nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file. @todo move this variable to the role
+nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file. @todo move this variable to the role
+
+nginx_matomo_tracking:                false   # Activates matomo tracking on all html pages
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@@ -1,32 +1,8 @@
 # Docker Applications

-## Enable Central MariaDB
-enable_central_database: true
-enable_central_database_mailu: "{{enable_central_database}}"
-
-## Enable Storage Optimizer for Docker Volumes
-enable_system_storage_optimizer: true
-
 ## Docker Role Specific Parameters
 docker_restart_policy:        "unless-stopped"

-### Keycloak Client Configuration
-oidc_client_active:               true  # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
-oidc_client_id:                   "{{primary_domain}}"
-oidc_client_realm:                "{{primary_domain}}"   
-oidc_client_issuer_url:           "https://{{domains.keycloak}}/realms/{{oidc_client_realm}}"
-oidc_client_discovery_document:   "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
-oidc_client_authorize_url:        "{{oidc_client_issuer_url}}/protocol/openid-connect/auth"
-oidc_client_toke_url:             "{{oidc_client_issuer_url}}/protocol/openid-connect/token"
-oidc_client_user_info_url:        "{{oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
-oidc_client_logout_url:           "{{oidc_client_issuer_url}}/protocol/openid-connect/logout"
-# oidc_client_secret:             "{{oidc_client_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
-
-ldap_network_enabled:                  false                                     # Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml
-
-oauth2_proxy_upstream_application_and_port:  "application:80"                          # The name of the application which the server redirects to. Needs to be defined in role vars.
-oauth2_proxy_active:                         false   
-
 defaults_applications:

  ## Akaunting
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@@ -0,0 +1,38 @@
+#############################################
+### Identity and Access Management (IAM)  ###
+#############################################
+
+#############################################
+### OIDC                                  ###
+#############################################
+# @see https://en.wikipedia.org/wiki/OpenID_Connect
+
+## Private configuration variables:
+_oidc_client_realm:       "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
+_oidc_client_issuer_url:  "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"
+
+defaults_oidc:
+  enabled:               true
+  client:
+    id:                   "{{primary_domain}}"
+#   secret:               # Define in inventory file
+    realm:                "{{_oidc_client_realm}}"
+    issuer_url:           "{{_oidc_client_issuer_url}}"
+    discovery_document:   "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"
+    authorize_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"
+    toke_url:             "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"
+    user_info_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
+    logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"
+
+#############################################
+### OAuth2-Proxy                          ###
+#############################################
+# The name of the application which the server redirects to. Needs to be defined in role vars.
+oauth2_proxy_upstream_application_and_port:  "application:80"
+oauth2_proxy_active:                         false   
+
+#############################################
+### LDAP                                  ###
+#############################################
+# Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml
+ldap_network_enabled:                  false
--- a/group_vars/all/12_storage.yml
+++ b/group_vars/all/12_storage.yml
@@ -0,0 +1,13 @@
+## Enable Central Postgress and MariaDB instead of dedicated container per application
+enable_central_database:          true
+enable_central_database_mailu:    "{{enable_central_database}}"
+
+## Enable Storage Optimizer for Docker Volumes
+enable_system_storage_optimizer:  true
+
+backups_folder_path:              "/Backups/"   # Path to the backups folder
+
+# Storage Space-Related Configurations          
+size_percent_maximum_backup:      75  # Maximum storage space in percent for backups
+size_percent_cleanup_disc_space:  85  # Threshold for triggering cleanup actions
+size_percent_disc_space_warning:  90  # Warning threshold in percent for free disk space