kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-02 07:38:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactored OAuth2 Proxy and PhpLDAPAdmin

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-11-27 00:21:22 +01:00
parent 4b2c7eef88
commit d97d34a822
15 changed files with 103 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/sys-svc-proxy/templates/vhost/basic.conf.j2
View File

@@ -17,7 +17,7 @@ server
{% include 'roles/sys-svc-letsencrypt/templates/ssl_header.j2' %}
{% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
{% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', False, {}) %}
{% set acl = applications | get_app_conf(application_id, 'docker.services.oauth2_proxy.acl', False, {}) %}
{% if acl.blacklist is defined %}
{# 1. Expose everything by default, then protect blacklisted paths #}

7
roles/web-app-friendica/config/main.yml
View File

@@ -23,9 +23,6 @@ server:
unsafe-eval: true
style-src-attr:
unsafe-inline: true
oauth2_proxy:
application: "application"
port: "80"
addons:
keycloakpassword: {}
ldapauth: {}
@@ -33,3 +30,7 @@ docker:
services:
database:
enabled: true
oauth2_proxy:
origin:
host: "application"
port: "80"

13
roles/web-app-funkwhale/config/main.yml
View File

@@ -12,6 +12,13 @@ docker:
enabled: true
database:
enabled: true
oauth2_proxy:
origin:
host: "front"
port: "80"
acl:
blacklist:
- "/login"
features:
matomo: true
css: false
@@ -32,9 +39,3 @@ server:
whitelist:
font-src:
- "data:"
oauth2_proxy:
application: "front"
port: "80"
acl:
blacklist:
- "/login"

14
roles/web-app-gitea/config/main.yml
View File

@@ -13,12 +13,7 @@ features:
oauth2: true
oidc: false # Deactivated because users aren't auto-created.
logout: true
oauth2_proxy:
application: "application"
port: "<< defaults_applications[web-app-gitea].docker.services.gitea.port >>"
acl:
blacklist:
- "/user/login"
server:
csp:
flags:
@@ -59,5 +54,12 @@ docker:
mem_reservation: 0.2g
mem_limit: 0.3g
pids_limit: 512
oauth2_proxy:
origin:
host: "application"
port: "<< defaults_applications[web-app-gitea].docker.services.gitea.port >>"
acl:
blacklist:
- "/user/login"
volumes:
data: "gitea_data"

5
roles/web-app-lam/config/main.yml
View File

@@ -3,8 +3,9 @@ docker:
lam:
image: ghcr.io/ldapaccountmanager/lam
version: latest
oauth2_proxy:
application: application
oauth2_proxy:
origin:
host: application
port: 80
allowed_groups:
- "{{ [RBAC.GROUP.NAME, 'web-app-lam-administrator'] | path_join }}"

6
roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@@ -1,7 +1,7 @@
http_address = "0.0.0.0:4180"
cookie_secret = "{{ applications | get_app_conf(oauth2_proxy_application_id, 'credentials.oauth2_proxy_cookie_secret', True) }}"
cookie_secure = "true" # True is necessary to force the cookie set via https
upstreams = "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.port', True) }}"
upstreams = "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.origin.host') }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.origin.port') }}"
cookie_domains = ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('web-app-keycloak') }}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{ PRIMARY_DOMAIN }}"] # Required to allow redirection back to original requested target.
@@ -13,11 +13,11 @@ oidc_issuer_url = "{{ OIDC.CLIENT.ISSUER_URL }}"
provider = "oidc"
provider_display_name = "{{ OIDC.BUTTON_TEXT }}"
{% if applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', False) %}
{% if applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.allowed_groups', False) %}
{# role based restrictions #}
scope = "openid email profile {{ RBAC.GROUP.CLAIM }}"
oidc_groups_claim = "{{ RBAC.GROUP.CLAIM }}"
allowed_groups = {{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', True) | to_json }}
allowed_groups = {{ applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.allowed_groups') | to_json }}
email_domains = ["*"]
{% else %}
email_domains = "{{ PRIMARY_DOMAIN }}"

18
roles/web-app-openproject/config/main.yml
View File

@@ -1,11 +1,3 @@
oauth2_proxy:
application: "proxy"
port: "80"
acl:
whitelist:
- "/users/me" # Necessary for Nextcloud Plugin to work
- "/api/" # Necessary for Nextcloud Plugin to work
- "/oauth/token" # Necessary for Nextcloud Plugin to work
ldap:
filters:
administrators: False # Set true to filter administrators
@@ -78,6 +70,14 @@ docker:
mem_reservation: "512m"
mem_limit: "512m"
pids_limit: 256
oauth2_proxy:
origin:
host: "proxy"
port: "80"
acl:
whitelist:
- "/users/me" # Necessary for Nextcloud Plugin to work
- "/api/" # Necessary for Nextcloud Plugin to work
- "/oauth/token" # Necessary for Nextcloud Plugin to work
volumes:
data: "openproject_data"

11
roles/web-app-pgadmin/config/main.yml
View File

@@ -1,11 +1,6 @@
version: "latest"
server_mode: False # If true then the preconfigured database file is loaded. Recommended False. True is a security risk.
master_password_required: True # Master password is required. Recommended True. False is a security risk.
oauth2_proxy:
application: "application"
port: "80"
allowed_groups:
- "{{ [RBAC.GROUP.NAME, 'web-app-pgadmin-administrator'] | path_join }}"
features:
matomo: true
css: true
@@ -31,3 +26,9 @@ docker:
services:
database:
enabled: true
oauth2_proxy:
origin:
host: "application"
port: "80"
allowed_groups:
- "{{ [RBAC.GROUP.NAME, 'web-app-pgadmin-administrator'] | path_join }}"

17
roles/web-app-phpldapadmin/config/main.yml
View File

@@ -1,9 +1,3 @@
version: "2.0.0-dev"
oauth2_proxy:
application: application # Needs to be the same as webinterface
port: 8080 # application port
allowed_groups:
- "{{ [RBAC.GROUP.NAME, 'web-app-phpldapadmin-administrator'] | path_join }}"
features:
matomo: true
css: true
@@ -16,3 +10,14 @@ server:
canonical:
- phpldapadmin.{{ PRIMARY_DOMAIN }}
aliases: []
docker:
services:
phpldapadmin:
image: leenooks/phpldapadmin
version: "2.0.0-dev"
oauth2_proxy:
origin:
host: application # Needs to be the same as webinterface
port: 8080 # application port
allowed_groups:
- "{{ [RBAC.GROUP.NAME, 'web-app-phpldapadmin-administrator'] | path_join }}"

2
roles/web-app-phpldapadmin/templates/docker-compose.yml.j2
View File

@@ -2,7 +2,7 @@
application:
container_name: {{ application_id }}
image: leenooks/phpldapadmin:{{ applications | get_app_conf(application_id, 'version', True)}}
image: {{ PHPLDAPADMIN_IMAGE }}:{{ PHPLDAPADMIN_VERSION }}
ports:
- 127.0.0.1:{{ ports.localhost.http[application_id] }}:8080
{% include 'roles/docker-container/templates/base.yml.j2' %}

4
roles/web-app-phpldapadmin/vars/main.yml
View File

@@ -1 +1,5 @@
application_id: "web-app-phpldapadmin"
entity_name: "{{ application_id | get_entity_name }}"
PHPLDAPADMIN_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ entity_name ~ '.image' )}}"
PHPLDAPADMIN_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ entity_name ~ '.version' )}}"

12
roles/web-app-phpmyadmin/config/main.yml
View File

@@ -1,9 +1,4 @@
autologin: false # This is a high security risk. Just activate this option if you know what you're doing
oauth2_proxy:
port: "80"
application: "application"
allowed_groups:
- "{{ [RBAC.GROUP.NAME, 'web-app-phpmyadmin-administrator'] | path_join }}"
features:
matomo: true
css: false
@@ -30,4 +25,9 @@ docker:
phpmyadmin:
version: "latest" # Use the latest phpmyadmin version
name: "phpmyadmin"
image: phpmyadmin/phpmyadmin
image: "phpmyadmin/phpmyadmin"
oauth2_proxy:
port: "80"
application: "application"
allowed_groups:
- "{{ [RBAC.GROUP.NAME, 'web-app-phpmyadmin-administrator'] | path_join }}"

12
roles/web-app-snipe-it/config/main.yml
View File

@@ -23,12 +23,6 @@ server:
whitelist:
font-src:
- "data:"
oauth2_proxy:
application: "application"
port: "80"
acl:
blacklist:
- "/login"
docker:
services:
redis:
@@ -39,6 +33,12 @@ docker:
version: "latest"
name: "snipe-it"
image: "grokability/snipe-it"
oauth2_proxy:
application: "application"
port: "80"
acl:
blacklist:
- "/login"
volumes:
data: "snipe-it_data"

16
roles/web-app-yourls/config/main.yml
View File

@@ -1,11 +1,3 @@
oauth2_proxy:
application: "application"
port: "80"
allowed_groups:
- "{{ [RBAC.GROUP.NAME, 'web-app-yourls-administrator'] | path_join }}"
acl:
blacklist:
- "<< defaults_applications[web-app-yourls].server.locations.admin >>" # Protects the admin area
features:
matomo: true
css: true
@@ -38,3 +30,11 @@ docker:
version: "latest"
name: "yourls"
image: "yourls"
oauth2_proxy:
application: "application"
port: "80"
allowed_groups:
- "{{ [RBAC.GROUP.NAME, 'web-app-yourls-administrator'] | path_join }}"
acl:
blacklist:
- "<< defaults_applications[web-app-yourls].server.locations.admin >>" # Protects the admin area

5
tests/integration/test_oauth2_acl_mutual_exclusive.py
View File

@@ -22,7 +22,8 @@ class TestOauth2AclMutualExclusion(unittest.TestCase):
failures.append(f"{role_path.name}: failed to parse YAML ({e})")
continue
oauth2 = data.get("oauth2_proxy", {})
services = data.get("services", {})
oauth2 = services.get("oauth2_proxy", {})
acl = oauth2.get("acl", None)
if acl is None:
continue
@@ -37,7 +38,7 @@ class TestOauth2AclMutualExclusion(unittest.TestCase):
if failures:
self.fail(
"The following roles define both whitelist and blacklist under oauth2_proxy.acl:\n"
"The following roles define both whitelist and blacklist under docker.services.oauth2_proxy.acl:\n"
+ "\n".join(failures)
)