Deactivated default login mask

Added auto oidc parameters to discourse
Added condition for OIDC bbb
2025-04-28 18:30:24 +02:00 · 2025-01-27 12:48:25 +01:00 · 2025-01-27 11:51:14 +01:00 · 2025-01-27 10:57:59 +01:00 · 2025-01-27 10:49:51 +01:00 · 2025-01-27 10:17:25 +01:00
7 changed files with 59 additions and 17 deletions
--- a/group_vars/all
+++ b/group_vars/all
@ -217,10 +217,10 @@ akaunting_company_email:      "{{administrator_email}}"
 akaunting_setup_admin_email:  "{{administrator_email}}"

 #### Attendize 
-attendize_version:              "latest"
+attendize_version:                "latest"

 #### Baserow 
-baserow_version:                "latest"
+baserow_version:                  "latest"

 #### Big Blue Button
 bigbluebutton_enable_greenlight:  "true"
@ -243,7 +243,15 @@ joomla_version:                   "latest"

 #### Keycloak
 keycloak_version:                 "latest"
-keycloak_administrator_username:  "{{administrator_username}}"
+keycloak_administrator_username:  "{{administrator_username}}"  # Administrator Username for Keycloak
+
+##### Keycloak Client Configuration
+oidc_client_active:               true  # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
+oidc_client_id:                   "{{primary_domain}}"
+oidc_client_realm:                "{{primary_domain}}"   
+oidc_client_issuer_url:           "https://{{domain_keycloak}}/realms/{{oidc_client_realm}}"
+oidc_client_discovery_document:   "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
+# oidc_client_secret:             "{{oidc_client_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible

 #### LDAP
 ldap_lam_version:                     "latest"
@ -303,16 +311,14 @@ oauth2_proxy_redirect_url:                    "https://{{domain_keycloak}}/auth/
 # oauth2_proxy_port:                          >= 4180                                   # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
 oauth2_proxy_upstream_application_and_port:   "application:80"                          # The name of the application which the server redirects to. Needs to be defined in role vars.
 oauth2_proxy_allowed_roles:                   admin                                     # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
-oauth2_proxy_client_id:                       "{{primary_domain}}"                      # The id of the client application
-oauth2_proxy_client_secret:                   "{{primary_oauth2_proxy_client_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
-oauth2_proxy_cookie_secret:                   "{{primary_oauth2_proxy_cookie_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
+#oauth2_proxy_cookie_secret:                  "{{oauth2_proxy_cookie_secret}}"          # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16

 #### Peertube
-peertube_version:                         "bookworm"
+peertube_version:           "bookworm"

 #### PHPMyAdmin
-phpmyadmin_version:                       "latest"
-phpmyadmin_autologin:                     false     # This is a high security risk. Just activate this option if you know what you're doing
+phpmyadmin_version:         "latest"
+phpmyadmin_autologin:       false     # This is a high security risk. Just activate this option if you know what you're doing

 #### Pixelfed
 pixelfed_app_name:          "Pictures on {{primary_domain}}"
--- a/roles/docker-baserow/README.md
+++ b/roles/docker-baserow/README.md
@ -2,4 +2,9 @@

 This role allows the setup of [baserole](https://baserow.io/).

+## More Information
+
 It was created with the help of [Chat GPT-4](https://chat.openai.com/share/556c2d7f-6b6f-4256-a646-a50529554efc).
+
+## SSO
+SSO is just activated in the Enterprise Edition. Also no LDAP configuration is available. [More information](https://baserow.io/user-docs/enable-single-sign-on-sso).
--- a/roles/docker-bigbluebutton/README.md
+++ b/roles/docker-bigbluebutton/README.md
@ -20,6 +20,9 @@ watch -n 2 "docker compose ps -a"
 sudo docker-compose exec -it postgres psql -U postgres
 ```

+## SSO
+- https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
+
 ## further information
 - https://github.com/bigbluebutton/docker
 - https://docs.bigbluebutton.org/greenlight/gl-install.html#setting-bigbluebutton-credentials
@ -29,3 +32,4 @@ watch -n 2 "docker compose ps -a"
 - https://www.cyberciti.biz/faq/linux-restart-network-interface/
 - https://stackoverflow.com/questions/53347951/docker-network-not-found
 - https://github.com/bigbluebutton/docker/issues/325
+
--- a/roles/docker-bigbluebutton/templates/env.j2
+++ b/roles/docker-bigbluebutton/templates/env.j2
@ -280,3 +280,13 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 #   invite - For invite only registration
 #   approval - For approve/decline registration
 DEFAULT_REGISTRATION=invite
+
+{% if oidc_client_active | bool %}
+### EXTERNAL AUTHENTICATION METHODS
+# @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
+#
+OPENID_CONNECT_CLIENT_ID={{oidc_client_id}}
+OPENID_CONNECT_CLIENT_SECRET={{oidc_client_secret}}
+OPENID_CONNECT_ISSUER={{oidc_client_issuer_url}}
+OPENID_CONNECT_REDIRECT=https://{{domain}}
+{% endif %}
--- a/roles/docker-discourse/README.md
+++ b/roles/docker-discourse/README.md
@ -2,6 +2,12 @@

 This Ansible role sets up Discourse, a popular open-source discussion platform, using Docker containers. It is designed to automate the deployment and configuration process of Discourse, making it easier to maintain and update.

+
+## Check configuration
+```bash
+./launcher enter application
+pry(main)> SiteSetting.all.each { |setting| puts "#{setting.name}: #{setting.value}" }
+```
 ---

 This README was generated with information provided in the Ansible role. For more detailed instructions and information, refer to the inline comments within the role files. Additional support and context for this role can be found in an [online chat discussion](https://chat.openai.com/share/fdbf9870-1f7e-491f-b4d2-357e6e8ad59c).
--- a/roles/docker-discourse/templates/discourse_application.yml.j2
+++ b/roles/docker-discourse/templates/discourse_application.yml.j2
@ -40,7 +40,6 @@ env:
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  UNICORN_WORKERS: 8

-  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: {{domain}}

@ -48,11 +47,9 @@ env:
  ## hostname (-h option) as specified above (default "$hostname-$config")
  #DOCKER_USE_HOSTNAME: true

-  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS:       {{administrator_email}}

-  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS:           {{ system_email_host }}
@ -115,6 +112,20 @@ run:
  ## If you want to set the 'From' email address for your first registration, uncomment and change:
  ## After getting the first signup email, re-comment the line. It only needs to run once.
  #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
+{% if oidc_client_active | bool %}
+  # Deactivate Default Login
+  - exec: rails r "SiteSetting.enable_local_logins = false"
+  - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589
+
+  # OIDC Activation
+  - exec: rails r "SiteSetting.openid_connect_enabled = true"
+  - exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc_client_discovery_document}}'"
+  - exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc_client_id}}'"         
+  - exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc_client_secret}}'"     
+  - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = 'https://{{domain}}'"
+  - exec: rails r "SiteSetting.openid_connect_allow_association_change = false"
+  - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true"
+{% endif %}
  - exec: echo "End of custom commands"

 docker_args:
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@ -7,10 +7,10 @@ cookie_domains          =   ["{{domain}}", "{{domain_keycloak}}"]
 whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.

 # keycloak provider
-client_secret           =   "{{oauth2_proxy_client_secret}}"
-client_id               =   "{{oauth2_proxy_client_id}}"
+client_secret           =   "{{oidc_client_secret}}"
+client_id               =   "{{oidc_client_id}}"
 redirect_url            =   "https://{{domain}}/oauth2/callback"
-oidc_issuer_url         =   "https://{{domain_keycloak}}/realms/{{primary_domain}}"
+oidc_issuer_url         =   "{{oidc_client_issuer_url}}"
 provider                =   "oidc"
 provider_display_name   =   "Keycloak"
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	6f851973fa	Deactivated default login mask	2025-01-27 12:48:25 +01:00
Kevin Veen-Birkenbach	69a98c4c24	Added auto oidc parameters to discourse	2025-01-27 11:51:14 +01:00
Kevin Veen-Birkenbach	c896057400	Added condition for OIDC bbb	2025-01-27 10:57:59 +01:00
Kevin Veen-Birkenbach	2d38f97b17	solved protocol bug	2025-01-27 10:49:51 +01:00
Kevin Veen-Birkenbach	f1607b9045	Added OIDC for bigbluebutton	2025-01-27 10:17:25 +01:00