kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-02 15:39:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactored OAuth2 Proxy and PhpLDAPAdmin

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-11-27 00:21:22 +01:00
parent 4b2c7eef88
commit d97d34a822
15 changed files with 103 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@@ -1,7 +1,7 @@
http_address = "0.0.0.0:4180"
cookie_secret = "{{ applications | get_app_conf(oauth2_proxy_application_id, 'credentials.oauth2_proxy_cookie_secret', True) }}"
cookie_secure = "true" # True is necessary to force the cookie set via https
upstreams = "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.port', True) }}"
cookie_secure = "true" # True is necessary to force the cookie set via https
upstreams = "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.origin.host') }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.origin.port') }}"
cookie_domains = ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('web-app-keycloak') }}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{ PRIMARY_DOMAIN }}"] # Required to allow redirection back to original requested target.
@@ -13,11 +13,11 @@ oidc_issuer_url = "{{ OIDC.CLIENT.ISSUER_URL }}"
provider = "oidc"
provider_display_name = "{{ OIDC.BUTTON_TEXT }}"
{% if applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', False) %}
{% if applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.allowed_groups', False) %}
{# role based restrictions #}
scope = "openid email profile {{ RBAC.GROUP.CLAIM }}"
oidc_groups_claim = "{{ RBAC.GROUP.CLAIM }}"
allowed_groups = {{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', True) | to_json }}
allowed_groups = {{ applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.allowed_groups') | to_json }}
email_domains = ["*"]
{% else %}
email_domains = "{{ PRIMARY_DOMAIN }}"