kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-28 18:30:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:aa591de3e5c86d0d990f128c3d4a3a931af083ba
Branches Tags
kevinveenbirkenbach:master
...
compare: kevinveenbirkenbach:6d5113b6ea96b6eb70d027d443a32e00cbf5f083
Branches Tags
kevinveenbirkenbach:master

3 Commits
aa591de3e5 ... 6d5113b6ea

Author SHA1 Message Date
Kevin Veen-Birkenbach
6d5113b6ea Updated security for OAuth2 and optimized CSS 2025-02-24 21:00:22 +01:00
Kevin Veen-Birkenbach
bc455a4344 Optimized CSS 2025-02-24 19:29:27 +01:00
Kevin Veen-Birkenbach
5b9553d042 Updated README.md of nextcloud 2025-02-24 16:30:08 +01:00
6 changed files with 101 additions and 16 deletions
Show Stats Expand all files Collapse all files

15
group_vars/all/07_applications.yml
View File

@ -126,6 +126,7 @@ defaults_applications:
enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface
application: lam # Needs to be the same as webinterface application: lam # Needs to be the same as webinterface
port: 80 # If you use phpldapadmin set it to 8080 port: 80 # If you use phpldapadmin set it to 8080
# cookie_secret: None # Set via openssl rand -hex 16
database: database:
central_storage: false # LDAP doesn't use an database in the current configuration. Propably a good idea to implement one later. central_storage: false # LDAP doesn't use an database in the current configuration. Propably a good idea to implement one later.
# administrator_password: # CHANGE for security reasons in inventory file # administrator_password: # CHANGE for security reasons in inventory file
@ -164,6 +165,7 @@ defaults_applications:
version: "latest" version: "latest"
oauth2_proxy: oauth2_proxy:
enabled: false # Deactivated atm. @todo implement enabled: false # Deactivated atm. @todo implement
# cookie_secret: None # Set via openssl rand -hex 16
# database_password: Null # Needs to be set in inventory file # database_password: Null # Needs to be set in inventory file
# auth_token: Null # Needs to be set in inventory file # auth_token: Null # Needs to be set in inventory file
css: css:
@ -237,15 +239,13 @@ defaults_applications:
# database_password: Null # Needs to be set in inventory file # database_password: Null # Needs to be set in inventory file
administrator_username: "{{administrator_username}}" administrator_username: "{{administrator_username}}"
administrator_initial_password: "{{administrator_initial_password}}" administrator_initial_password: "{{administrator_initial_password}}"
## OAuth2 Proxy ## OAuth2 Proxy
oauth2_proxy: oauth2_proxy:
configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it
version: "latest" # Docker Image version version: "latest" # Docker Image version
redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups
cookie_secret: "{{ applications.oauth2_proxy.cookie_secret if applications.oauth2_proxy is defined else '' }}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
## Open Project ## Open Project
openproject: openproject:
@ -254,6 +254,7 @@ defaults_applications:
enabled: true # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed enabled: true # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
application: "proxy" application: "proxy"
port: "80" port: "80"
# cookie_secret: None # Set via openssl rand -hex 16
ldap_enabled: True # Enables LDAP by default ldap_enabled: True # Enables LDAP by default
database: database:
central_storage: True central_storage: True
@ -270,13 +271,16 @@ defaults_applications:
## PHPMyAdmin ## PHPMyAdmin
phpmyadmin: phpmyadmin:
version: "latest" version: "latest"
autologin: false # This is a high security risk. Just activate this option if you know what you're doing autologin: false # This is a high security risk. Just activate this option if you know what you're doing
oauth2_proxy: oauth2_proxy:
enabled: true enabled: true
port: "80" port: "80"
application: "application" application: "application"
# cookie_secret: None # Set via openssl rand -hex 16
database: database:
central_storage: True central_storage: True
css:
enabled: False # The css needs more optimation for PHPMyAdmin
## Pixelfed ## Pixelfed
pixelfed: pixelfed:
@ -314,7 +318,8 @@ defaults_applications:
enabled: true enabled: true
application: "application" application: "application"
port: "80" port: "80"
location: "/admin/" # Protects the admin area location: "/admin/" # Protects the admin area
# cookie_secret: None # Set via openssl rand -hex 16
database: database:
central_storage: True central_storage: True

19
roles/docker-nextcloud/README.md
View File

@ -92,9 +92,24 @@ To use OCC, run:
```bash ```bash
docker-compose exec -it -u www-data application /var/www/html/occ docker-compose exec -it -u www-data application /var/www/html/occ
``` ```
### User Administration
#### Make user admin via cli
```bash
docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
```
#### Delete user via CLI
```bash
docker compose exec -it -u www-data application php occ user:delete {{username}}
```
--- ---
### App Administration
```bash
docker compose exec -u www-data application php occ config:list {{app_name}}
```
## App Relevant Tables 🗃️ ## App Relevant Tables 🗃️
- `oc_appconfig` - `oc_appconfig`
@ -130,6 +145,10 @@ docker compose exec -u www-data application /var/www/html/occ config:app:get soc
More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
## Federation
If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid.
--- ---
## Further Information ## Further Information

4
roles/docker-nextcloud/tasks/ldap.yml
View File

@ -1,4 +1,6 @@
# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html # @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
# @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
# @todo implement # @todo implement
#docker compose exec -u www-data application php occ app:enable user_ldap #docker compose exec -u www-data application php occ app:enable user_ldap
occ config:app:set user_ldap installed_version --value "1.21.0"

8
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -1,7 +1,7 @@
http_address = "0.0.0.0:4180" http_address = "0.0.0.0:4180"
cookie_secret = "{{applications.oauth2_proxy.cookie_secret}}" cookie_secret = "{{applications[application_id].oauth2_proxy.cookie_secret}}"
email_domains = "{{primary_domain}}" email_domains = "{{primary_domain}}"
cookie_secure = "false" cookie_secure = "true" # True is necessary to force the cookie set via https
upstreams = "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}" upstreams = "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}"
cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains. cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target. whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target.
@ -15,5 +15,5 @@ provider = "oidc"
provider_display_name = "Keycloak" provider_display_name = "Keycloak"
# role restrictions # role restrictions
#cookie_roles = "realm_access.roles" #cookie_roles = "realm_access.roles"
allowed_roles = "{{applications.oauth2_proxy.allowed_roles}}" allowed_roles = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing

2
roles/docker-openproject/vars/main.yml
View File

@ -1,6 +1,6 @@
application_id: "openproject" application_id: "openproject"
docker_repository_address: "https://github.com/opf/openproject-deploy" docker_repository_address: "https://github.com/opf/openproject-deploy"
database_password: "{{openproject_database_password}}" database_password: "{{applications[application_id].credentials.database_password}}"
database_type: "postgres" database_type: "postgres"
openproject_plugins_service: "{{docker_compose.directories.services}}plugins/" openproject_plugins_service: "{{docker_compose.directories.services}}plugins/"

69
roles/nginx-modifier-css/templates/global.css.j2
View File

@ -97,6 +97,13 @@ HINT:
--bs-highlight-color: var(--color-10); /* Gemappt von #212529 */ --bs-highlight-color: var(--color-10); /* Gemappt von #212529 */
--bs-border-color-translucent: rgba(var(--color-rgb-01), 0.175); /* Gemappt von rgba(0, 0, 0, 0.175) */ --bs-border-color-translucent: rgba(var(--color-rgb-01), 0.175); /* Gemappt von rgba(0, 0, 0, 0.175) */
--bs-focus-ring-color: rgba(var(--color-rgb-65), 0.25); /* Gemappt von rgba(13, 110, 253, 0.25) */ --bs-focus-ring-color: rgba(var(--color-rgb-65), 0.25); /* Gemappt von rgba(13, 110, 253, 0.25) */
--bs-table-color: var(--bs-emphasis-color);
--bs-table-bg: var(--color-99); /* White (#fff) */
--bs-table-border-color: var(--color-99); /* White (#fff) */
--bs-table-striped-bg: var(--color-85); /* Light Gray (entspricht ca. #dee2e6) */
--bs-table-hover-color: var(--color-01); /* Black (#000) */
--bs-table-hover-bg: rgba(var(--bs-emphasis-color-rgb), 0.075);
} }
@ -817,7 +824,7 @@ html[native-dark-active] .btn, .btn {
} }
/* Navigation (Background and Text Colors) */ /* Navigation (Background and Text Colors) */
.navbar, .navbar-light, .navbar-dark { .navbar, .navbar-light, .navbar-dark, .navbar.bg-light {
background-color: var(--color-90); background-color: var(--color-90);
/* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */ /* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */
background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95)); background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95));
@ -840,6 +847,7 @@ html[native-dark-active] .btn, .btn {
/* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */ /* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */
background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95)); background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95));
border-color: var(--color-85); border-color: var(--color-85);
color: var(--color-12);
} }
.card-body { .card-body {
@ -870,7 +878,7 @@ html[native-dark-active] .btn, .btn {
color: var(--color-40); color: var(--color-40);
} }
/* Keycloak Header */ /* Keycloak */
div#app header, div#app header *{ div#app header, div#app header *{
background-color: var(--color-60); background-color: var(--color-60);
/* New Gradient based on original background (60 -5, 60, 60 +1, 60 +5) */ /* New Gradient based on original background (60 -5, 60, 60 +1, 60 +5) */
@ -991,7 +999,6 @@ div#mastodon .dropdown-button{
div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, div#mastodon .button:hover{ div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, div#mastodon .button:hover{
background-color: var(--color-71); background-color: var(--color-71);
/* New Gradient based on original background (71 -5, 71, 71 +1, 71 +5) */
background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-66), var(--color-71), var(--color-72), var(--color-76)); background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-66), var(--color-71), var(--color-72), var(--color-76));
} }
@ -1002,22 +1009,65 @@ div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, d
/** OpenProject **/ /** OpenProject **/
header.op-app-header{ header.op-app-header{
background-color: var(--color-40); background-color: var(--color-40);
/* New Gradient based on original background (40 -5, 40, 40 +1, 40 +5) */
background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-35), var(--color-40), var(--color-41), var(--color-45)); background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-35), var(--color-40), var(--color-41), var(--color-45));
color: var(--color-40); color: var(--color-40);
} }
/** Open Project **/
div#wrapper button, div#wrapper input, button.top-menu-search-button, div.menu-sidebar a{ div#wrapper button, div#wrapper input, button.top-menu-search-button, div.menu-sidebar a{
background-color: transparent; background-color: transparent;
} }
/* OAuth2 Proxy */
{# The variables look like they are bootstrap variables. @todo Verify and generalize if possible #}
.box {
background-color: var(--color-92);
color: var(--color-10);
}
.subtitle {
color: inherit;
}
.has-background-light {
background-color: var(--color-96) !important;
}
/* Pixelfed */ /* Pixelfed */
div.page-wrapper{ div.page-wrapper{
background: none; background: none;
background-color: none; background-color: none;
} }
/* PHP MyAdmin */
#pma_navigation {
background: linear-gradient(to right, var(--color-95), var(--color-85));
color: var(--color-05);
}
#pma_navigation_tree a {
color: var(--color-05);
}
#pma_navigation_tree li.activePointer, #pma_navigation_tree li.selected {
color: var(--color-05);
background-color: var(--color-70);
}
.breadcrumb-navbar {
background-color: var(--color-86);
}
.navbar-nav .nav-item {
background: linear-gradient(var(--color-99), var(--color-85));
border-right-color: var(--color-99);
border-left-color: var(--color-80);
border-bottom-color: var(--color-80);
}
.result_query div.sqlOuter {
background: var(--color-50);
}
/** Taiga specific configuration **/ /** Taiga specific configuration **/
section.main.kanban{ section.main.kanban{
@ -1049,6 +1099,15 @@ section.kanban h1, section.kanban h2{
background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-70), var(--color-75), var(--color-76), var(--color-80)); background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-70), var(--color-75), var(--color-76), var(--color-80));
} }
.kanban.swimlane .kanban-header {
background: none;
}
.kanban-table-header .task-colum-name {
background-color: var(--color-70);
color: var(--color-10);
}
/* Portfolio */ /* Portfolio */
.card-img-top i { .card-img-top i {
filter: drop-shadow(4px 4px 4px rgba(var(--color-rgb-23), 0.6)); filter: drop-shadow(4px 4px 4px rgba(var(--color-rgb-23), 0.6));