Updated security for OAuth2 and optimized CSS

Optimized CSS
Updated README.md of nextcloud
2025-04-28 18:30:24 +02:00 · 2025-02-24 21:00:22 +01:00 · 2025-02-24 19:29:27 +01:00 · 2025-02-24 16:30:08 +01:00
6 changed files with 101 additions and 16 deletions
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -126,6 +126,7 @@ defaults_applications:
      enabled:                        true                                      # Activate the OAuth2 Proxy for the LDAP Webinterface
      application:                    lam                                       # Needs to be the same as webinterface
      port:                           80                                        # If you use phpldapadmin set it to 8080
 #     cookie_secret:                  None                                      # Set via openssl rand -hex 16
    database:
      central_storage:                false                                     # LDAP doesn't use an database in the current configuration. Propably a good idea to implement one later. 
    # administrator_password:                                                   # CHANGE for security reasons in inventory file
@ -164,6 +165,7 @@ defaults_applications:
    version:                          "latest"
    oauth2_proxy:
      enabled:                        false                         # Deactivated atm. @todo implement 
 #     cookie_secret:                  None                          # Set via openssl rand -hex 16
 #   database_password:                Null                          # Needs to be set in inventory file
 #   auth_token:                       Null                          # Needs to be set in inventory file
    css:
@ -238,14 +240,12 @@ defaults_applications:
      administrator_username:           "{{administrator_username}}"
      administrator_initial_password:   "{{administrator_initial_password}}"
  ## OAuth2 Proxy
  oauth2_proxy:
    configuration_file: "oauth2-proxy-keycloak.cfg"                                                                     # Needs to be set true in the roles which use it
    version:            "latest"                                                                                        # Docker Image version
    redirect_url:       "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"      # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
    allowed_roles:      admin                                                                                           # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
    cookie_secret:      "{{ applications.oauth2_proxy.cookie_secret if applications.oauth2_proxy is defined else '' }}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
  ## Open Project
  openproject:
@ -254,6 +254,7 @@ defaults_applications:
      enabled:            true    # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
      application:        "proxy"
      port:               "80"
 #     cookie_secret:      None    # Set via openssl rand -hex 16
    ldap_enabled:         True    # Enables LDAP by default
    database:
      central_storage:    True 
@ -275,8 +276,11 @@ defaults_applications:
      enabled:            true
      port:               "80"
      application:        "application"
 #     cookie_secret:      None            # Set via openssl rand -hex 16
    database:
      central_storage:    True
    css:
      enabled:            False           # The css needs more optimation for PHPMyAdmin
  ## Pixelfed
  pixelfed:
@ -315,6 +319,7 @@ defaults_applications:
      application:            "application"
      port:                   "80"
      location:               "/admin/"       # Protects the admin area
 #     cookie_secret:          None            # Set via openssl rand -hex 16
    database:
      central_storage:        True
--- a/roles/docker-nextcloud/README.md
+++ b/roles/docker-nextcloud/README.md
@ -92,9 +92,24 @@ To use OCC, run:
 ```bash
 docker-compose exec -it -u www-data application /var/www/html/occ
 ```
 ### User Administration 
 #### Make user admin via cli
 ```bash
 docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
 ```
 #### Delete user via CLI
 ```bash
 docker compose exec -it -u www-data application php occ user:delete {{username}}
 ```
 ---
 ### App Administration
 ```bash
 docker compose exec -u www-data application php occ config:list {{app_name}}
 ```
 ## App Relevant Tables 🗃️
 - `oc_appconfig`
@ -130,6 +145,10 @@ docker compose exec -u www-data application /var/www/html/occ config:app:get soc
 More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
 ## Federation
 If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid. 
 ---
 ## Further Information ℹ️
--- a/roles/docker-nextcloud/tasks/ldap.yml
+++ b/roles/docker-nextcloud/tasks/ldap.yml
@ -2,3 +2,5 @@
 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
 # @todo implement
 #docker compose exec -u www-data application php occ app:enable user_ldap
 occ config:app:set user_ldap installed_version --value "1.21.0"
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@ -1,7 +1,7 @@
 http_address            =   "0.0.0.0:4180"
-cookie_secret           =   "{{applications.oauth2_proxy.cookie_secret}}"
+cookie_secret           =   "{{applications[application_id].oauth2_proxy.cookie_secret}}"
 email_domains           =   "{{primary_domain}}"
-cookie_secure           =   "false"
+cookie_secure           =   "true"                                                  # True is necessary to force the cookie set via https
 upstreams               =   "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}"
 cookie_domains          =   ["{{domain}}", "{{domains.keycloak}}"]                  # Required so cookie can be read on all subdomains.
 whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.
@ -16,4 +16,4 @@ provider_display_name   =   "Keycloak"
 # role restrictions
 #cookie_roles           =   "realm_access.roles"
-allowed_roles           =   "{{applications.oauth2_proxy.allowed_roles}}"
+allowed_roles           =   "{{applications.oauth2_proxy.allowed_roles}}"           # This is not correct here. needs to be placed in applications @todo move there when implementing
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@ -1,6 +1,6 @@
 application_id:               "openproject"
 docker_repository_address:    "https://github.com/opf/openproject-deploy"
-database_password:            "{{openproject_database_password}}"
+database_password:            "{{applications[application_id].credentials.database_password}}"
 database_type:                "postgres"
 openproject_plugins_service:  "{{docker_compose.directories.services}}plugins/"
--- a/roles/nginx-modifier-css/templates/global.css.j2
+++ b/roles/nginx-modifier-css/templates/global.css.j2
@ -97,6 +97,13 @@ HINT:
  --bs-highlight-color: var(--color-10); /* Gemappt von #212529 */
  --bs-border-color-translucent: rgba(var(--color-rgb-01), 0.175); /* Gemappt von rgba(0, 0, 0, 0.175) */
  --bs-focus-ring-color: rgba(var(--color-rgb-65), 0.25); /* Gemappt von rgba(13, 110, 253, 0.25) */
  --bs-table-color: var(--bs-emphasis-color);
  --bs-table-bg: var(--color-99);          /* White (#fff) */
  --bs-table-border-color: var(--color-99);  /* White (#fff) */
  --bs-table-striped-bg: var(--color-85);    /* Light Gray (entspricht ca. #dee2e6) */
  --bs-table-hover-color: var(--color-01);   /* Black (#000) */
  --bs-table-hover-bg: rgba(var(--bs-emphasis-color-rgb), 0.075);
 }
@ -817,7 +824,7 @@ html[native-dark-active] .btn, .btn {
 }
 /* Navigation (Background and Text Colors) */
-.navbar, .navbar-light, .navbar-dark {
+.navbar, .navbar-light, .navbar-dark, .navbar.bg-light {
    background-color: var(--color-90);
    /* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */
    background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95));
@ -840,6 +847,7 @@ html[native-dark-active] .btn, .btn {
    /* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */
    background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95));
    border-color: var(--color-85);
    color: var(--color-12);
 }
 .card-body {
@ -870,7 +878,7 @@ html[native-dark-active] .btn, .btn {
    color: var(--color-40);
 }
-/* Keycloak Header */
+/* Keycloak */
 div#app header, div#app header *{
    background-color: var(--color-60);
    /* New Gradient based on original background (60 -5, 60, 60 +1, 60 +5) */
@ -991,7 +999,6 @@ div#mastodon .dropdown-button{
 div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, div#mastodon .button:hover{
    background-color: var(--color-71);
    /* New Gradient based on original background (71 -5, 71, 71 +1, 71 +5) */
    background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-66), var(--color-71), var(--color-72), var(--color-76));
 }
@ -1002,22 +1009,65 @@ div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, d
 /** OpenProject **/
 header.op-app-header{
    background-color: var(--color-40);
    /* New Gradient based on original background (40 -5, 40, 40 +1, 40 +5) */
    background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-35), var(--color-40), var(--color-41), var(--color-45));
    color: var(--color-40);
 }
 /** Open Project **/
 div#wrapper button, div#wrapper input, button.top-menu-search-button, div.menu-sidebar a{
    background-color: transparent;
 }
 /* OAuth2 Proxy */
 {# The variables look like they are bootstrap variables. @todo Verify and generalize if possible #}
 .box {
    background-color: var(--color-92);
    color: var(--color-10);
 }
 .subtitle {
    color: inherit;
 }
 .has-background-light {
    background-color: var(--color-96) !important;
 }
 /* Pixelfed */
 div.page-wrapper{
    background: none;
    background-color: none;
 }
 /* PHP MyAdmin */
 #pma_navigation {
    background: linear-gradient(to right, var(--color-95), var(--color-85));
    color: var(--color-05);
 }
 #pma_navigation_tree a {
    color: var(--color-05);
 }
 #pma_navigation_tree li.activePointer, #pma_navigation_tree li.selected {
    color: var(--color-05);
    background-color: var(--color-70);
 }
 .breadcrumb-navbar {
    background-color: var(--color-86);
 }
 .navbar-nav .nav-item {
    background: linear-gradient(var(--color-99), var(--color-85));
    border-right-color: var(--color-99);
    border-left-color: var(--color-80);
    border-bottom-color: var(--color-80);
 }
 .result_query div.sqlOuter {
    background: var(--color-50);
 }
 /** Taiga specific configuration  **/
 section.main.kanban{
@ -1049,6 +1099,15 @@ section.kanban h1, section.kanban h2{
    background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-70), var(--color-75), var(--color-76), var(--color-80));
 }
 .kanban.swimlane .kanban-header {
    background: none;
 }
 .kanban-table-header .task-colum-name {
    background-color: var(--color-70);
    color: var(--color-10);
 }
 /* Portfolio */ 
 .card-img-top i {
    filter: drop-shadow(4px 4px 4px rgba(var(--color-rgb-23), 0.6));
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	6d5113b6ea	Updated security for OAuth2 and optimized CSS	2025-02-24 21:00:22 +01:00
Kevin Veen-Birkenbach	bc455a4344	Optimized CSS	2025-02-24 19:29:27 +01:00
Kevin Veen-Birkenbach	5b9553d042	Updated README.md of nextcloud	2025-02-24 16:30:08 +01:00