Updated security for OAuth2 and optimized CSS

group_vars/all/07_applications.yml

@@ -126,6 +126,7 @@ defaults_applications:
       enabled:                        true                                      # Activate the OAuth2 Proxy for the LDAP Webinterface
       application:                    lam                                       # Needs to be the same as webinterface
       port:                           80                                        # If you use phpldapadmin set it to 8080
+#     cookie_secret:                  None                                      # Set via openssl rand -hex 16
     database:
       central_storage:                false                                     # LDAP doesn't use an database in the current configuration. Propably a good idea to implement one later. 
     # administrator_password:                                                   # CHANGE for security reasons in inventory file
@@ -164,6 +165,7 @@ defaults_applications:
     version:                          "latest"
     oauth2_proxy:
       enabled:                        false                         # Deactivated atm. @todo implement 
+#     cookie_secret:                  None                          # Set via openssl rand -hex 16
 #   database_password:                Null                          # Needs to be set in inventory file
 #   auth_token:                       Null                          # Needs to be set in inventory file
     css:
@@ -238,14 +240,12 @@ defaults_applications:
       administrator_username:           "{{administrator_username}}"
       administrator_initial_password:   "{{administrator_initial_password}}"
       
-
   ## OAuth2 Proxy
   oauth2_proxy:
     configuration_file: "oauth2-proxy-keycloak.cfg"                                                                     # Needs to be set true in the roles which use it
     version:            "latest"                                                                                        # Docker Image version
     redirect_url:       "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"      # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
     allowed_roles:      admin                                                                                           # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
-    cookie_secret:      "{{ applications.oauth2_proxy.cookie_secret if applications.oauth2_proxy is defined else '' }}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
 
   ## Open Project
   openproject:
@@ -254,6 +254,7 @@ defaults_applications:
       enabled:            true    # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
       application:        "proxy"
       port:               "80"
+#     cookie_secret:      None    # Set via openssl rand -hex 16
     ldap_enabled:         True    # Enables LDAP by default
     database:
       central_storage:    True 
@@ -275,8 +276,11 @@ defaults_applications:
       enabled:            true
       port:               "80"
       application:        "application"
+#     cookie_secret:      None            # Set via openssl rand -hex 16
     database:
       central_storage:    True
+    css:
+      enabled:            False           # The css needs more optimation for PHPMyAdmin
 
   ## Pixelfed
   pixelfed:
@@ -315,6 +319,7 @@ defaults_applications:
       application:            "application"
       port:                   "80"
       location:               "/admin/"       # Protects the admin area
+#     cookie_secret:          None            # Set via openssl rand -hex 16
     database:
       central_storage:        True
 

roles/docker-nextcloud/README.md

@@ -92,9 +92,24 @@ To use OCC, run:
 ```bash
 docker-compose exec -it -u www-data application /var/www/html/occ
 ```
+### User Administration 
 
+#### Make user admin via cli
+```bash
+docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
+```
+
+#### Delete user via CLI
+```bash
+docker compose exec -it -u www-data application php occ user:delete {{username}}
+```
 ---
 
+### App Administration
+```bash
+docker compose exec -u www-data application php occ config:list {{app_name}}
+```
+
 ## App Relevant Tables 🗃️
 
 - `oc_appconfig`
@@ -130,6 +145,10 @@ docker compose exec -u www-data application /var/www/html/occ config:app:get soc
 
 More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
 
+## Federation
+
+If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid. 
+
 ---
 
 ## Further Information ℹ️

roles/docker-nextcloud/tasks/ldap.yml

@@ -2,3 +2,5 @@
 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
 # @todo implement
 #docker compose exec -u www-data application php occ app:enable user_ldap
+
+occ config:app:set user_ldap installed_version --value "1.21.0"

roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

@@ -1,7 +1,7 @@
 http_address            =   "0.0.0.0:4180"
-cookie_secret           =   "{{applications.oauth2_proxy.cookie_secret}}"
+cookie_secret           =   "{{applications[application_id].oauth2_proxy.cookie_secret}}"
 email_domains           =   "{{primary_domain}}"
-cookie_secure           =   "false"
+cookie_secure           =   "true"                                                  # True is necessary to force the cookie set via https
 upstreams               =   "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}"
 cookie_domains          =   ["{{domain}}", "{{domains.keycloak}}"]                  # Required so cookie can be read on all subdomains.
 whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.
@@ -16,4 +16,4 @@ provider_display_name   =   "Keycloak"
 
 # role restrictions
 #cookie_roles           =   "realm_access.roles"
-allowed_roles           =   "{{applications.oauth2_proxy.allowed_roles}}"
+allowed_roles           =   "{{applications.oauth2_proxy.allowed_roles}}"           # This is not correct here. needs to be placed in applications @todo move there when implementing

roles/docker-openproject/vars/main.yml

@@ -1,6 +1,6 @@
 application_id:               "openproject"
 docker_repository_address:    "https://github.com/opf/openproject-deploy"
-database_password:            "{{openproject_database_password}}"
+database_password:            "{{applications[application_id].credentials.database_password}}"
 database_type:                "postgres"
 
 openproject_plugins_service:  "{{docker_compose.directories.services}}plugins/"

roles/nginx-modifier-css/templates/global.css.j2

@@ -97,6 +97,13 @@ HINT:
   --bs-highlight-color: var(--color-10); /* Gemappt von #212529 */
   --bs-border-color-translucent: rgba(var(--color-rgb-01), 0.175); /* Gemappt von rgba(0, 0, 0, 0.175) */
   --bs-focus-ring-color: rgba(var(--color-rgb-65), 0.25); /* Gemappt von rgba(13, 110, 253, 0.25) */
+  
+  --bs-table-color: var(--bs-emphasis-color);
+  --bs-table-bg: var(--color-99);          /* White (#fff) */
+  --bs-table-border-color: var(--color-99);  /* White (#fff) */
+  --bs-table-striped-bg: var(--color-85);    /* Light Gray (entspricht ca. #dee2e6) */
+  --bs-table-hover-color: var(--color-01);   /* Black (#000) */
+  --bs-table-hover-bg: rgba(var(--bs-emphasis-color-rgb), 0.075);
 }
 
 
@@ -817,7 +824,7 @@ html[native-dark-active] .btn, .btn {
 }
 
 /* Navigation (Background and Text Colors) */
-.navbar, .navbar-light, .navbar-dark {
+.navbar, .navbar-light, .navbar-dark, .navbar.bg-light {
     background-color: var(--color-90);
     /* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */
     background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95));
@@ -840,6 +847,7 @@ html[native-dark-active] .btn, .btn {
     /* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */
     background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95));
     border-color: var(--color-85);
+    color: var(--color-12);
 }
 
 .card-body {
@@ -870,7 +878,7 @@ html[native-dark-active] .btn, .btn {
     color: var(--color-40);
 }
 
-/* Keycloak Header */
+/* Keycloak */
 div#app header, div#app header *{
     background-color: var(--color-60);
     /* New Gradient based on original background (60 -5, 60, 60 +1, 60 +5) */
@@ -991,7 +999,6 @@ div#mastodon .dropdown-button{
 
 div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, div#mastodon .button:hover{
     background-color: var(--color-71);
-    /* New Gradient based on original background (71 -5, 71, 71 +1, 71 +5) */
     background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-66), var(--color-71), var(--color-72), var(--color-76));
 }
 
@@ -1002,22 +1009,65 @@ div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, d
 /** OpenProject **/
 header.op-app-header{
     background-color: var(--color-40);
-    /* New Gradient based on original background (40 -5, 40, 40 +1, 40 +5) */
     background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-35), var(--color-40), var(--color-41), var(--color-45));
     color: var(--color-40);
 }
 
-/** Open Project **/
 div#wrapper button, div#wrapper input, button.top-menu-search-button, div.menu-sidebar a{
     background-color: transparent;
 }
 
+/* OAuth2 Proxy */
+{# The variables look like they are bootstrap variables. @todo Verify and generalize if possible #}
+.box {
+    background-color: var(--color-92);
+    color: var(--color-10);
+}
+
+.subtitle {
+    color: inherit;
+}
+
+.has-background-light {
+    background-color: var(--color-96) !important;
+}
+
 /* Pixelfed */
 div.page-wrapper{
     background: none;
     background-color: none;
 }
 
+/* PHP MyAdmin */
+#pma_navigation {
+    background: linear-gradient(to right, var(--color-95), var(--color-85));
+    color: var(--color-05);
+}
+
+#pma_navigation_tree a {
+    color: var(--color-05);
+}
+
+#pma_navigation_tree li.activePointer, #pma_navigation_tree li.selected {
+    color: var(--color-05);
+    background-color: var(--color-70);
+}
+
+.breadcrumb-navbar {
+    background-color: var(--color-86);
+}
+
+.navbar-nav .nav-item {
+    background: linear-gradient(var(--color-99), var(--color-85));
+    border-right-color: var(--color-99);
+    border-left-color: var(--color-80);
+    border-bottom-color: var(--color-80);
+}
+
+.result_query div.sqlOuter {
+    background: var(--color-50);
+}
+
 /** Taiga specific configuration  **/
 
 section.main.kanban{
@@ -1049,6 +1099,15 @@ section.kanban h1, section.kanban h2{
     background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-70), var(--color-75), var(--color-76), var(--color-80));
 }
 
+.kanban.swimlane .kanban-header {
+    background: none;
+}
+
+.kanban-table-header .task-colum-name {
+    background-color: var(--color-70);
+    color: var(--color-10);
+}
+
 /* Portfolio */ 
 .card-img-top i {
     filter: drop-shadow(4px 4px 4px rgba(var(--color-rgb-23), 0.6));