mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-02-22 20:39:40 +01:00
implemented functioning oauth2-proxy
This commit is contained in:
parent
7b9959af21
commit
c35eb10343
6
roles/docker-oauth2-proxy/tasks/main.yml
Normal file
6
roles/docker-oauth2-proxy/tasks/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}"
|
||||||
|
copy:
|
||||||
|
src: oauth2-proxy-keycloak.cfg.j2
|
||||||
|
dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg"
|
||||||
|
# notify:
|
||||||
|
# - docker compose project setup
|
||||||
24
roles/docker-oauth2-proxy/templates/container.yml.j2
Normal file
24
roles/docker-oauth2-proxy/templates/container.yml.j2
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
oauth2-proxy:
|
||||||
|
image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
|
||||||
|
#image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
|
||||||
|
restart: {{docker_restart_policy}}
|
||||||
|
command: --config /oauth2-proxy.cfg
|
||||||
|
hostname: oauth2-proxy
|
||||||
|
#environment:
|
||||||
|
# OAUTH2_PROXY_PROVIDER: "keycloak" # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub).
|
||||||
|
# OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world"
|
||||||
|
# OAUTH2_PROXY_CLIENT_ID: "{{domain}}" # The client ID configured in Keycloak for the application.
|
||||||
|
# OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}" # The client secret configured in Keycloak for the application.
|
||||||
|
# OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}" # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`.
|
||||||
|
# #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}" # The allowed email domain(s) for authentication. Example: "example.com".
|
||||||
|
# OAUTH2_PROXY_REDIRECT_URL: "{{oauth2_proxy_redirect_url}}" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
|
||||||
|
# OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:{{http_port}}" # The internal upstream service (your application) that OAuth2-Proxy protects.
|
||||||
|
ports:
|
||||||
|
# - "127.0.0.1:{{oauth2_proxy_port}}:4180"
|
||||||
|
- 4180:4180/tcp
|
||||||
|
volumes:
|
||||||
|
- "./oauth2-proxy-keycloak.cfg:/oauth2-proxy.cfg"
|
||||||
|
{% include 'templates/docker/container/networks.yml.j2' %}
|
||||||
|
# keycloak: {}
|
||||||
|
# httpbin: {}
|
||||||
|
# oauth2-proxy: {}
|
||||||
@ -0,0 +1,18 @@
|
|||||||
|
http_address="0.0.0.0:4180"
|
||||||
|
cookie_secret="{{oauth2_proxy_cookie_secret}}"
|
||||||
|
email_domains="{{primary_domain}}"
|
||||||
|
cookie_secure="false"
|
||||||
|
upstreams="http://proxy:80"
|
||||||
|
cookie_domains=["{{domain}}", "{{domain_keycloak}}"] # Required so cookie can be read on all subdomains.
|
||||||
|
whitelist_domains=[".{{primary_domain}}"] # Required to allow redirection back to original requested target.
|
||||||
|
|
||||||
|
# keycloak provider
|
||||||
|
client_secret="{{oauth2_proxy_client_secret}}"
|
||||||
|
client_id="{{domain}}"
|
||||||
|
#redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
|
||||||
|
redirect_url="https://{{domain}}/oauth2/callback"
|
||||||
|
|
||||||
|
# in this case oauth2-proxy is going to visit
|
||||||
|
oidc_issuer_url="https://{{domain_keycloak}}/realms/{{primary_domain}}"
|
||||||
|
provider="oidc"
|
||||||
|
provider_display_name="Keycloak"
|
||||||
@ -8,6 +8,12 @@
|
|||||||
- name: "include tasks update-repository-with-docker-compose.yml"
|
- name: "include tasks update-repository-with-docker-compose.yml"
|
||||||
include_tasks: update-repository-with-docker-compose.yml
|
include_tasks: update-repository-with-docker-compose.yml
|
||||||
|
|
||||||
|
- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}"
|
||||||
|
template:
|
||||||
|
src: roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
|
||||||
|
dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg"
|
||||||
|
notify:
|
||||||
|
- docker compose project setup
|
||||||
|
|
||||||
- name: "Transfering Gemfile.plugins to {{docker_compose_instance_directory}}"
|
- name: "Transfering Gemfile.plugins to {{docker_compose_instance_directory}}"
|
||||||
copy:
|
copy:
|
||||||
|
|||||||
@ -22,7 +22,7 @@ services:
|
|||||||
|
|
||||||
{% include 'templates/docker/services/' + database_type + '.yml.j2' %}
|
{% include 'templates/docker/services/' + database_type + '.yml.j2' %}
|
||||||
|
|
||||||
{% include 'templates/docker/services/oauth2-proxy.yml.j2' %}
|
{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
|
||||||
|
|
||||||
cache:
|
cache:
|
||||||
image: memcached
|
image: memcached
|
||||||
|
|||||||
@ -2,9 +2,16 @@ server
|
|||||||
{
|
{
|
||||||
server_name {{domain}};
|
server_name {{domain}};
|
||||||
|
|
||||||
# Include OAuth2 Proxy
|
|
||||||
{% if oauth2_proxy_active | bool %}
|
{% if oauth2_proxy_active | bool %}
|
||||||
# OAuth2-Proxy-Endpunkte
|
# Include OAuth2 Proxy
|
||||||
|
# Raise the maximal header size.
|
||||||
|
# Keycloak uses huge headers for authentification
|
||||||
|
proxy_buffer_size 16k;
|
||||||
|
proxy_buffers 8 16k;
|
||||||
|
proxy_busy_buffers_size 16k;
|
||||||
|
large_client_header_buffers 4 16k;
|
||||||
|
|
||||||
|
# OAuth2-Proxy-Endpoint
|
||||||
location /oauth2/ {
|
location /oauth2/ {
|
||||||
proxy_pass http://127.0.0.1:{{oauth2_proxy_port}};
|
proxy_pass http://127.0.0.1:{{oauth2_proxy_port}};
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
@ -14,13 +21,13 @@ server
|
|||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# Include Matomo Tracking Code
|
|
||||||
{% if nginx_matomo_tracking | bool %}
|
{% if nginx_matomo_tracking | bool %}
|
||||||
|
# Include Matomo Tracking Code
|
||||||
{% include 'roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2' %}
|
{% include 'roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2' %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# Additional Domain Specific Configuration
|
|
||||||
{% if nginx_docker_reverse_proxy_extra_configuration is defined %}
|
{% if nginx_docker_reverse_proxy_extra_configuration is defined %}
|
||||||
|
# Additional Domain Specific Configuration
|
||||||
{{nginx_docker_reverse_proxy_extra_configuration}}
|
{{nginx_docker_reverse_proxy_extra_configuration}}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|||||||
@ -1,15 +0,0 @@
|
|||||||
oauth2-proxy:
|
|
||||||
image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
|
|
||||||
restart: {{docker_restart_policy}}
|
|
||||||
environment:
|
|
||||||
OAUTH2_PROXY_PROVIDER: "keycloak" # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub).
|
|
||||||
OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world"
|
|
||||||
OAUTH2_PROXY_CLIENT_ID: "{{domain}}" # The client ID configured in Keycloak for the application.
|
|
||||||
OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}" # The client secret configured in Keycloak for the application.
|
|
||||||
OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}" # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`.
|
|
||||||
#OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}" # The allowed email domain(s) for authentication. Example: "example.com".
|
|
||||||
OAUTH2_PROXY_REDIRECT_URL: "{{oauth2_proxy_redirect_url}}" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
|
|
||||||
OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:{{http_port}}" # The internal upstream service (your application) that OAuth2-Proxy protects.
|
|
||||||
ports:
|
|
||||||
- "127.0.0.1:{{oauth2_proxy_port}}:4180"
|
|
||||||
{% include 'templates/docker/container/networks.yml.j2' %}
|
|
||||||
Loading…
x
Reference in New Issue
Block a user