diff --git a/cli/utils/manager/inventory.py b/cli/utils/manager/inventory.py index 6a5f2705..4aaa992a 100644 --- a/cli/utils/manager/inventory.py +++ b/cli/utils/manager/inventory.py @@ -105,6 +105,7 @@ class InventoryManager: """Generate a value based on the provided algorithm.""" if algorithm == "random_hex": return secrets.token_hex(64) + if algorithm == "sha256": return hashlib.sha256(secrets.token_bytes(32)).hexdigest() if algorithm == "sha1": @@ -116,4 +117,7 @@ class InventoryManager: return self.generate_secure_alphanumeric(64) if algorithm == "base64_prefixed_32": return "base64:" + base64.b64encode(secrets.token_bytes(32)).decode() + if algorithm == "random_hex_16": + # 16 Bytes → 32 Hex-Characters + return secrets.token_hex(16) return "undefined" diff --git a/group_vars/all/12_iam.yml b/group_vars/all/12_iam.yml index cc2f0be3..5c46da47 100644 --- a/group_vars/all/12_iam.yml +++ b/group_vars/all/12_iam.yml @@ -38,9 +38,10 @@ defaults_oidc: # Helper Variables: # Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory -_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" -_ldap_server_port: "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}" -_ldap_user_id: "uid" +_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" +_ldap_server_port: "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}" +_ldap_user_id: "uid" +_ldap_filters_users_all: "(|(objectclass=inetOrgPerson))" ldap: # Distinguished Names (DN) @@ -59,7 +60,9 @@ ldap: # Attribut to identify the user user_id: "{{ _ldap_user_id }}" mail: "mail" - name: "cn" + fullname: "cn" + firstname: "givenname" + surname: "sn" # Password to access dn.bind bind_credential: "{{applications.ldap.credentials.administrator_database_password}}" server: @@ -74,5 +77,9 @@ ldap: - inetOrgPerson # Extended Internet / intranet person – RFC 2798 - posixAccount # POSIX/UNIX login attributes (uidNumber, gidNumber …) – RFC 2307 - nextcloudUser # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) – Nextcloud schema + - ldapPublicKey # Necessary for setting SSH keys for gitea + filters: - user_filter: "(&(|(objectclass=inetOrgPerson))({{_ldap_user_id}}=%{{_ldap_user_id}}))" \ No newline at end of file + users: + login: "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))" + all: "{{ _ldap_filters_users_all }}" \ No newline at end of file diff --git a/roles/docker-discourse/templates/discourse_application.yml.j2 b/roles/docker-discourse/templates/discourse_application.yml.j2 index 31bdf22d..08867a8d 100644 --- a/roles/docker-discourse/templates/discourse_application.yml.j2 +++ b/roles/docker-discourse/templates/discourse_application.yml.j2 @@ -165,7 +165,7 @@ run: - exec: rails r "SiteSetting.ldap_bind_password = '{{ ldap.bind_credential }}'" # LDAP additional configuration - - exec: rails r "SiteSetting.ldap_user_filter = '{{ ldap.filters.user_filter }}'" + - exec: rails r "SiteSetting.ldap_user_filter = '{{ ldap.filters.users.login }}'" - exec: rails r "SiteSetting.ldap_group_base_dn = '{{ ldap.dn.groups }}'" - exec: rails r "SiteSetting.ldap_group_member_check = 'memberUid'" diff --git a/roles/docker-gitea/Administration.md b/roles/docker-gitea/Administration.md index 73c7493f..261c9503 100644 --- a/roles/docker-gitea/Administration.md +++ b/roles/docker-gitea/Administration.md @@ -26,4 +26,13 @@ To access the database execute docker-compose exec -it database /bin/mysql -u gitea -p ``` ## bash in application -docker-compose exec -it application /bin/sh \ No newline at end of file +docker-compose exec -it application /bin/sh + +## user management + +### Change password +```bash +docker-compose exec --user git application gitea admin user change-password \ + --username administrator \ + --password "MyNewSecureP@ssw0rd" +``` \ No newline at end of file diff --git a/roles/docker-gitea/meta/schema.yml b/roles/docker-gitea/meta/schema.yml index 2d9a34dc..7eecfa2f 100644 --- a/roles/docker-gitea/meta/schema.yml +++ b/roles/docker-gitea/meta/schema.yml @@ -1,5 +1,5 @@ credentials: oauth2_proxy_cookie_secret: description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" - algorithm: "sha256" + algorithm: "random_hex_16" validation: "^[a-f0-9]{32}$" \ No newline at end of file diff --git a/roles/docker-gitea/tasks/cleanup.yml b/roles/docker-gitea/tasks/cleanup.yml new file mode 100644 index 00000000..2a2528ed --- /dev/null +++ b/roles/docker-gitea/tasks/cleanup.yml @@ -0,0 +1,7 @@ +- name: Execute OIDC Cleanup Routine + include_tasks: cleanup/oidc.yml + when: not (applications | is_feature_enabled('oidc', application_id)) + +- name: Execute LDAP Cleanup Routine + include_tasks: cleanup/ldap.yml + when: not (applications | is_feature_enabled('ldap', application_id)) \ No newline at end of file diff --git a/roles/docker-gitea/tasks/cleanup/ldap.yml b/roles/docker-gitea/tasks/cleanup/ldap.yml new file mode 100644 index 00000000..a64d4467 --- /dev/null +++ b/roles/docker-gitea/tasks/cleanup/ldap.yml @@ -0,0 +1,22 @@ +- name: "Lookup existing LDAP auth source ID" + shell: | + docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \ + exec -T --user git application \ + gitea admin auth list \ + | awk -v name="LDAP ({{ primary_domain }})" '$0 ~ name {print $1; exit}' + args: + chdir: "{{ docker_compose.directories.instance }}" + register: ldap_source_id_raw + failed_when: false + changed_when: false + +- name: "Delete existing LDAP auth source if present" + shell: | + docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \ + exec -T --user git application \ + gitea admin auth delete --id {{ ldap_source_id_raw.stdout }} + args: + chdir: "{{ docker_compose.directories.instance }}" + when: ldap_source_id_raw.stdout != "" + register: ldap_delete + failed_when: ldap_delete.rc != 0 \ No newline at end of file diff --git a/roles/docker-gitea/tasks/cleanup/oidc.yml b/roles/docker-gitea/tasks/cleanup/oidc.yml new file mode 100644 index 00000000..47e0e073 --- /dev/null +++ b/roles/docker-gitea/tasks/cleanup/oidc.yml @@ -0,0 +1,23 @@ + +- name: "Lookup existing OIDC auth source ID" + shell: | + docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \ + exec -T --user git application \ + gitea admin auth list \ + | awk -v name="{{ oidc.button_text }}" '$0 ~ name {print $1; exit}' + args: + chdir: "{{ docker_compose.directories.instance }}" + register: oidc_source_id_raw + failed_when: false + changed_when: false + +- name: "Delete existing OIDC auth source if present" + shell: | + docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \ + exec -T --user git application \ + gitea admin auth delete --id {{ oidc_source_id_raw.stdout }} + args: + chdir: "{{ docker_compose.directories.instance }}" + when: oidc_source_id_raw.stdout != "" + register: oidc_delete + failed_when: oidc_delete.rc != 0 diff --git a/roles/docker-gitea/tasks/main.yml b/roles/docker-gitea/tasks/main.yml index 5caa2e0a..fef35cbd 100644 --- a/roles/docker-gitea/tasks/main.yml +++ b/roles/docker-gitea/tasks/main.yml @@ -45,10 +45,21 @@ changed_when: "'has been successfully created' in create_admin.stdout" failed_when: create_admin.rc != 0 and 'user already exists' not in create_admin.stderr -- name: Execute OIDC Routine - include_tasks: oidc.yml - vars: - action: add - register: oidc_add - ignore_errors: true - when: applications | is_feature_enabled('oidc', application_id) \ No newline at end of file +- name: "Wait until Gitea setup and migrations are ready" + uri: + url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version" + method: GET + status_code: 200 + return_content: no + register: gitea_ready + until: gitea_ready.status == 200 + retries: 20 + delay: 5 + when: applications | is_feature_enabled('oidc', application_id) or applications | is_feature_enabled('ldap', application_id) + +- name: Execute Setup Routines + include_tasks: setup.yml + +- name: Execute Cleanup Routines + include_tasks: cleanup.yml + when: mode_cleanup \ No newline at end of file diff --git a/roles/docker-gitea/tasks/setup.yml b/roles/docker-gitea/tasks/setup.yml new file mode 100644 index 00000000..781589c4 --- /dev/null +++ b/roles/docker-gitea/tasks/setup.yml @@ -0,0 +1,7 @@ +- name: Execute OIDC Setup Routine + include_tasks: setup/oidc.yml + when: applications | is_feature_enabled('oidc', application_id) + +- name: Execute LDAP Setup Routine + include_tasks: setup/ldap.yml + when: applications | is_feature_enabled('ldap', application_id) \ No newline at end of file diff --git a/roles/docker-gitea/tasks/setup/ldap.yml b/roles/docker-gitea/tasks/setup/ldap.yml new file mode 100644 index 00000000..9fdcb961 --- /dev/null +++ b/roles/docker-gitea/tasks/setup/ldap.yml @@ -0,0 +1,66 @@ +- name: "Add LDAP Authentication Source" + shell: | + docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \ + exec -T --user git application \ + gitea admin auth add-ldap \ + --name "LDAP ({{ primary_domain }})" \ + --host "{{ ldap.server.domain }}" \ + --port {{ ldap.server.port }} \ + --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \ + --bind-dn "{{ ldap.dn.administrator }}" \ + --bind-password "{{ ldap.bind_credential }}" \ + --user-search-base "{{ ldap.dn.users }}" \ + --user-filter "{{ ldap.filters.users.login }}" \ + --username-attribute "{{ ldap.attributes.user_id }}" \ + --firstname-attribute "{{ ldap.attributes.firstname }}" \ + --surname-attribute "{{ ldap.attributes.surname }}" \ + --email-attribute "{{ ldap.attributes.mail }}" \ + --synchronize-users # turns on per-login sync + args: + chdir: "{{ docker_compose.directories.instance }}" + register: ldap_manage + failed_when: ldap_manage.rc != 0 and "login source already exists" not in ldap_manage.stderr + +- name: "Lookup existing LDAP auth source ID" + shell: | + docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \ + exec -T --user git application \ + gitea admin auth list \ + | tail -n +2 \ + | grep -F "LDAP ({{ primary_domain }})" \ + | awk '{print $1; exit}' + args: + chdir: "{{ docker_compose.directories.instance }}" + register: ldap_source_id_raw + failed_when: + - ldap_source_id_raw.rc != 0 + - ldap_source_id_raw.stdout == "" + changed_when: false + +- name: "Set LDAP source ID fact" + set_fact: + ldap_source_id: "{{ ldap_source_id_raw.stdout }}" + +- name: "Update LDAP Authentication Source" + shell: | + docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \ + exec -T --user git application \ + gitea admin auth update-ldap \ + --id {{ ldap_source_id }} \ + --name "LDAP ({{ primary_domain }})" \ + --host "{{ ldap.server.domain }}" \ + --port {{ ldap.server.port }} \ + --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \ + --bind-dn "{{ ldap.dn.administrator }}" \ + --bind-password "{{ ldap.bind_credential }}" \ + --user-search-base "{{ ldap.dn.users }}" \ + --user-filter "(&(objectClass=inetOrgPerson)(uid=%s))" \ + --username-attribute "{{ ldap.attributes.user_id }}" \ + --firstname-attribute "{{ ldap.attributes.firstname }}" \ + --surname-attribute "{{ ldap.attributes.surname }}" \ + --email-attribute "{{ ldap.attributes.mail }}" \ + --synchronize-users + args: + chdir: "{{ docker_compose.directories.instance }}" + register: ldap_manage + failed_when: ldap_manage.rc != 0 diff --git a/roles/docker-gitea/tasks/oidc.yml b/roles/docker-gitea/tasks/setup/oidc.yml similarity index 86% rename from roles/docker-gitea/tasks/oidc.yml rename to roles/docker-gitea/tasks/setup/oidc.yml index cce5107b..c4546f42 100644 --- a/roles/docker-gitea/tasks/oidc.yml +++ b/roles/docker-gitea/tasks/setup/oidc.yml @@ -1,14 +1,3 @@ -- name: "Wait until Gitea setup and migrations are ready" - uri: - url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version" - method: GET - status_code: 200 - return_content: no - register: gitea_ready - until: gitea_ready.status == 200 - retries: 20 - delay: 5 - - name: "Add Keycloak OIDC Provider" shell: | docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \ diff --git a/roles/docker-gitea/templates/docker-compose.yml.j2 b/roles/docker-gitea/templates/docker-compose.yml.j2 index 04f2d098..a8487144 100644 --- a/roles/docker-gitea/templates/docker-compose.yml.j2 +++ b/roles/docker-gitea/templates/docker-compose.yml.j2 @@ -2,6 +2,8 @@ services: {% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %} +{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %} + application: {% include 'roles/docker-compose/templates/services/base.yml.j2' %} image: "{{ applications[application_id].images.gitea }}" diff --git a/roles/docker-gitea/templates/env.j2 b/roles/docker-gitea/templates/env.j2 index a39c62ab..d673f4f1 100644 --- a/roles/docker-gitea/templates/env.j2 +++ b/roles/docker-gitea/templates/env.j2 @@ -1,20 +1,29 @@ # Configuration # @see https://docs.gitea.com/next/administration/config-cheat-sheet#repository-repository +# General +DOMAIN={{domains | get_domain(application_id)}} +RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}" +ROOT_URL="{{ web_protocol }}://{{domains | get_domain(application_id)}}/" +APP_NAME="{{ applications[application_id].title }}" USER_UID=1000 USER_GID=1000 + +# Logging configuration +GITEA__log__MODE=console +GITEA__log__LEVEL={% if enable_debug | bool %}Debug{% else %}Info{% endif %} + +# Database DB_TYPE=mysql DB_HOST={{database_host}}:{{database_port}} DB_NAME={{database_name}} DB_USER={{database_username}} DB_PASSWD={{database_password}} + +# SSH SSH_PORT={{ports.public.ssh[application_id]}} SSH_LISTEN_PORT=22 -DOMAIN={{domains | get_domain(application_id)}} SSH_DOMAIN={{domains | get_domain(application_id)}} -RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}" -ROOT_URL="{{ web_protocol }}://{{domains | get_domain(application_id)}}/" -APP_NAME="{{ applications[application_id].title }}" # Mail Configuration # @see https://docs.gitea.com/next/installation/install-with-docker#managing-deployments-with-environment-variables @@ -35,38 +44,18 @@ GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications[application_id].c GITEA__security__INSTALL_LOCK=true # Locks the installation page -{% if applications | is_feature_enabled('oidc',application_id) %} +# (De)activate OIDC +GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }} +GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }} -GITEA__openid__ENABLE_OPENID_SIGNUP=true -GITEA__openid__ENABLE_OPENID_SIGNUP=true +{% if applications | is_feature_enabled('oidc',application_id) or applications | is_feature_enabled('ldap',application_id) %} -{% endif %} +EXTERNAL_USER_DISABLE_FEATURES=deletion,manage_credentials,change_username,change_full_name {% if applications | is_feature_enabled('ldap',application_id) %} +GITEA__ldap__SYNC_USER_ON_LOGIN=true +{% endif %} -# ------------------------------------------------ -# LDAP Authentication (via BindDN) -# ------------------------------------------------ -GITEA__auth__LDAP__ENABLED={{ applications | is_feature_enabled('ldap',application_id) | string | lower }} -GITEA__auth__LDAP__HOST={{ ldap.server.domain }} -GITEA__auth__LDAP__PORT={{ ldap.server.port }} -# security protocol: "", "SSL" or "TLS" -GITEA__auth__LDAP__SECURITY={{ ldap.server.security | trim or "unencrypted" }} -GITEA__auth__LDAP__BIND_DN={{ ldap.dn.administrator }} -GITEA__auth__LDAP__BIND_PASSWORD={{ ldap.bind_credential }} -GITEA__auth__LDAP__USER_SEARCH_BASE={{ ldap.dn.users }} -GITEA__auth__LDAP__USER_FILTER={{ ldap.filters.user_filter }} -# map LDAP attributes to Gitea fields -GITEA__auth__LDAP__ATTRIBUTE_USERNAME={{ ldap.attributes.user_id }} -GITEA__auth__LDAP__ATTRIBUTE_FULL_NAME={{ ldap.attributes.name }} -GITEA__auth__LDAP__ATTRIBUTE_MAIL={{ ldap.attributes.mail }} - -# ------------------------------------------------ -# Periodic sync for external LDAP users -# ------------------------------------------------ -GITEA__cron__SYNC_EXTERNAL_USERS_ENABLED=true -# default: sync daily at midnight -GITEA__cron__SYNC_EXTERNAL_USERS_CRON=0 0 * * * {% endif %} # ------------------------------------------------ diff --git a/roles/docker-gitea/vars/configuration.yml b/roles/docker-gitea/vars/configuration.yml index cc88d325..40e62e42 100644 --- a/roles/docker-gitea/vars/configuration.yml +++ b/roles/docker-gitea/vars/configuration.yml @@ -11,12 +11,12 @@ features: css: false portfolio_iframe: true central_database: true - ldap: false # Deactivated because OIDC is implemented - oauth2: false # Deactivated. Use OIDC instead. - oidc: true + ldap: true + oauth2: true + oidc: false # Deactivated because users aren't auto-created. oauth2_proxy: application: "application" - port: "80" + port: "3000" acl: blacklist: - "/user/login" diff --git a/roles/docker-keycloak/templates/import/realm.json.j2 b/roles/docker-keycloak/templates/import/realm.json.j2 index a6eb089d..d011ddd7 100644 --- a/roles/docker-keycloak/templates/import/realm.json.j2 +++ b/roles/docker-keycloak/templates/import/realm.json.j2 @@ -1944,7 +1944,7 @@ "true" ], "ldap.full.name.attribute": [ - "{{ ldap.attributes.name }}" + "{{ ldap.attributes.fullname }}" ] } }, diff --git a/roles/docker-lam/meta/schema.yml b/roles/docker-lam/meta/schema.yml index 180f92b7..67ad8e5d 100644 --- a/roles/docker-lam/meta/schema.yml +++ b/roles/docker-lam/meta/schema.yml @@ -1,7 +1,7 @@ credentials: oauth2_proxy_cookie_secret: - description: "Secret used to encrypt OAuth2 proxy cookies (hex-encoded, 16 bytes)" - algorithm: "sha256" + description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" + algorithm: "random_hex_16" validation: "^[a-f0-9]{32}$" administrator_password: diff --git a/roles/docker-lam/vars/configuration.yml b/roles/docker-lam/vars/configuration.yml index 2a60ceb4..1310bb2a 100644 --- a/roles/docker-lam/vars/configuration.yml +++ b/roles/docker-lam/vars/configuration.yml @@ -18,6 +18,8 @@ csp: script-src-elem: unsafe-inline: true unsafe-eval: true + script-src: + unsafe-inline: true domains: aliases: - "ldap.{{primary_domain}}" diff --git a/roles/docker-ldap/tasks/add_user_objects.yml b/roles/docker-ldap/tasks/add_user_objects.yml new file mode 100644 index 00000000..1183605a --- /dev/null +++ b/roles/docker-ldap/tasks/add_user_objects.yml @@ -0,0 +1,22 @@ +- name: "1) Gather all existing user DNs" + community.general.ldap_search: + server_uri: "{{ ldap.server.uri }}" + bind_dn: "{{ ldap.dn.administrator }}" + bind_pw: "{{ ldap.bind_credential }}" + base: "{{ ldap.dn.users }}" + filter: "{{ ldap.filters.users.all }}" + attributes: ["dn"] + register: ldap_existing_users + +- name: "2) Update each existing user with all user_objects" + community.general.ldap_attrs: + server_uri: "{{ ldap.server.uri }}" + bind_dn: "{{ ldap.dn.administrator }}" + bind_pw: "{{ ldap.bind_credential }}" + dn: "{{ item.dn }}" + attributes: + objectClass: "{{ ldap.user_objects }}" + state: exact + loop: "{{ ldap_existing_users.entries }}" + loop_control: + label: "{{ item.dn }}" diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml index 627bc812..e71a1b75 100644 --- a/roles/docker-ldap/tasks/main.yml +++ b/roles/docker-ldap/tasks/main.yml @@ -113,4 +113,7 @@ loop: - data loop_control: - loop_var: folder \ No newline at end of file + loop_var: folder + +- name: "Add Objects to all users" + include_tasks: add_user_objects.yml \ No newline at end of file diff --git a/roles/docker-matomo/meta/schema.yml b/roles/docker-matomo/meta/schema.yml index 9d23684e..069ecb74 100644 --- a/roles/docker-matomo/meta/schema.yml +++ b/roles/docker-matomo/meta/schema.yml @@ -6,6 +6,6 @@ credentials: validation: "^[a-f0-9]{64}$" oauth2_proxy_cookie_secret: - description: "Secret used to encrypt cookies in the OAuth2 Proxy (hex-encoded, 16 bytes)" - algorithm: "sha256" + description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" + algorithm: "random_hex_16" validation: "^[a-f0-9]{32}$" \ No newline at end of file diff --git a/roles/docker-nextcloud/vars/plugins/user_ldap.yml b/roles/docker-nextcloud/vars/plugins/user_ldap.yml index ac2bfb4f..db315f41 100644 --- a/roles/docker-nextcloud/vars/plugins/user_ldap.yml +++ b/roles/docker-nextcloud/vars/plugins/user_ldap.yml @@ -107,7 +107,7 @@ plugin_configuration: - appid: "user_ldap" configkey: "s01ldap_login_filter" - configvalue: "{{ ldap.filters.user_filter }}" + configvalue: "{{ ldap.filters.users.login }}" - appid: "user_ldap" configkey: "s01ldap_login_filter_mode" @@ -163,7 +163,7 @@ plugin_configuration: - appid: "user_ldap" configkey: "s01ldap_userlist_filter" - configvalue: "(|(objectclass=inetOrgPerson))" + configvalue: "{{ ldap.filters.users.login }}" - appid: "user_ldap" configkey: "s01use_memberof_to_detect_membership" diff --git a/roles/docker-openproject/meta/schema.yml b/roles/docker-openproject/meta/schema.yml index 3796655b..a5b619be 100644 --- a/roles/docker-openproject/meta/schema.yml +++ b/roles/docker-openproject/meta/schema.yml @@ -2,5 +2,5 @@ credentials: oauth2_proxy_cookie_secret: description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" - algorithm: "sha256" + algorithm: "random_hex_16" validation: "^[a-f0-9]{32}$" \ No newline at end of file diff --git a/roles/docker-pgadmin/meta/schema.yml b/roles/docker-pgadmin/meta/schema.yml index 5776137d..309a90ba 100644 --- a/roles/docker-pgadmin/meta/schema.yml +++ b/roles/docker-pgadmin/meta/schema.yml @@ -1,7 +1,7 @@ credentials: oauth2_proxy_cookie_secret: - description: "Secret used by OAuth2 Proxy to encrypt browser cookies (16 bytes hex-encoded)" - algorithm: "sha256" + description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" + algorithm: "random_hex_16" validation: "^[a-f0-9]{32}$" administrator_password: diff --git a/roles/docker-phpldapadmin/meta/schema.yml b/roles/docker-phpldapadmin/meta/schema.yml index e3127fca..7eecfa2f 100644 --- a/roles/docker-phpldapadmin/meta/schema.yml +++ b/roles/docker-phpldapadmin/meta/schema.yml @@ -1,5 +1,5 @@ credentials: oauth2_proxy_cookie_secret: - description: "Secret used by OAuth2 Proxy to encrypt session cookies (16 bytes hex-encoded)" - algorithm: "sha256" + description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" + algorithm: "random_hex_16" validation: "^[a-f0-9]{32}$" \ No newline at end of file diff --git a/roles/docker-phpmyadmin/meta/schema.yml b/roles/docker-phpmyadmin/meta/schema.yml index e3127fca..7eecfa2f 100644 --- a/roles/docker-phpmyadmin/meta/schema.yml +++ b/roles/docker-phpmyadmin/meta/schema.yml @@ -1,5 +1,5 @@ credentials: oauth2_proxy_cookie_secret: - description: "Secret used by OAuth2 Proxy to encrypt session cookies (16 bytes hex-encoded)" - algorithm: "sha256" + description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" + algorithm: "random_hex_16" validation: "^[a-f0-9]{32}$" \ No newline at end of file diff --git a/roles/docker-yourls/meta/schema.yml b/roles/docker-yourls/meta/schema.yml index 804ac7e9..6abb9ba4 100644 --- a/roles/docker-yourls/meta/schema.yml +++ b/roles/docker-yourls/meta/schema.yml @@ -10,6 +10,6 @@ credentials: validation: "^\\$2[aby]\\$.{56}$" oauth2_proxy_cookie_secret: - description: "Secret used by OAuth2 Proxy to encrypt browser cookies (16 bytes hex-encoded)" - algorithm: "sha256" + description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" + algorithm: "random_hex_16" validation: "^[a-f0-9]{32}$"