refactored oauth2-proxy

Merge branch 'master' of github.com:kevinveenbirkenbach/cymais
implemented functioning oauth2-proxy
2025-04-28 18:30:24 +02:00 · 2025-01-26 16:14:30 +01:00 · 2025-01-26 15:15:53 +01:00 · 2025-01-26 15:15:23 +01:00 · 2025-01-26 13:25:39 +01:00
14 changed files with 116 additions and 22 deletions
--- a/group_vars/all
+++ b/group_vars/all
@ -273,7 +273,7 @@ mastodon_single_user_mode:        false
 matrix_administrator_username:  "{{administrator_username}}"  # Accountname of the matrix admin
 matrix_playbook_tags:           "setup-all,start"             # For the initial update use: install-all,ensure-matrix-users-created,start
 matrix_role:                    "compose"                     # Role to setup Matrix. Valid values: ansible, compose
-matrix_server_name:             "{{primary_domain}}"              # Adress for the account names etc.
+matrix_server_name:             "{{primary_domain}}"          # Adress for the account names etc.
 matrix_synapse_version:         "latest"
 matrix_element_version:         "latest"

@ -289,17 +289,29 @@ moodle_administrator_email: "{{administrator_email}}"
 moodle_version:             "latest"

 #### MyBB
-mybb_version:            "latest"
+mybb_version:               "latest"

 #### Nextcloud
-nextcloud_version:      "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
+nextcloud_version:          "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
+
+#### OAuth2 Proxy
+oauth2_configuration_file:            "oauth2-proxy-keycloak.cfg"
+oauth2_proxy_active:                  false       # Needs to be set true in the roles which use it
+oauth2_version:                       "latest"
+oauth2_proxy_redirect_url:            "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
+# oauth2_proxy_port:                  >= 4180     # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
+# oauth2_proxy_upstream_application_and_port:  # The name of the application which the server redirects to. Needs to be defined in role vars.
+
+#### Open Project
+# openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
+# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application.

 #### Peertube
-peertube_version:       "bookworm"
+peertube_version:           "bookworm"

 #### Pixelfed
-pixelfed_app_name:      "Pictures on {{primary_domain}}"
-pixelfed_version:       "latest"
+pixelfed_app_name:          "Pictures on {{primary_domain}}"
+pixelfed_version:           "latest"

 #### Postgres
 # Please set an version in your inventory file - Rolling release for postgres isn't recommended
--- a/playbook.servers.yml
+++ b/playbook.servers.yml
@ -228,8 +228,9 @@
  roles:
   -  role: docker-openproject
      vars:
-        domain: "{{domain_openproject}}"
-        http_port: 8023
+        domain:             "{{domain_openproject}}"
+        http_port:          8023
+        oauth2_proxy_port:  4180

 - name: setup gitlab hosts
  hosts: gitlab
--- a/roles/docker-oauth2-proxy/README.md
+++ b/roles/docker-oauth2-proxy/README.md
@ -0,0 +1 @@
+https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment/keycloak/oauth2-proxy-realm.json
--- a/roles/docker-oauth2-proxy/tasks/main.yml
+++ b/roles/docker-oauth2-proxy/tasks/main.yml
@ -0,0 +1,6 @@
+- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}"
+  template:
+    src: oauth2-proxy-keycloak.cfg.j2
+    dest: "{{docker_compose_instance_directory}}{{oauth2_configuration_file}}"
+  notify:
+    - docker compose project setup
--- a/roles/docker-oauth2-proxy/templates/container.yml.j2
+++ b/roles/docker-oauth2-proxy/templates/container.yml.j2
@ -0,0 +1,11 @@
+  oauth2-proxy:
+    #image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
+    restart: {{docker_restart_policy}}
+    command: --config /oauth2-proxy.cfg
+    hostname: oauth2-proxy
+    ports:
+      - {{oauth2_proxy_port}}:4180/tcp
+    volumes:
+      - "./{{oauth2_configuration_file}}:/oauth2-proxy.cfg"
+{% include 'templates/docker/container/networks.yml.j2' %}
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@ -0,0 +1,17 @@
+http_address="0.0.0.0:4180"
+cookie_secret="{{oauth2_proxy_cookie_secret}}"
+email_domains="{{primary_domain}}"
+cookie_secure="false"
+upstreams="http://{{oauth2_proxy_upstream_application_and_port}}"
+cookie_domains=["{{domain}}", "{{domain_keycloak}}"]                # Required so cookie can be read on all subdomains.
+whitelist_domains=[".{{primary_domain}}"]                           # Required to allow redirection back to original requested target.
+
+# keycloak provider
+client_secret="{{oauth2_proxy_client_secret}}"
+client_id="{{domain}}"
+redirect_url="https://{{domain}}/oauth2/callback"
+
+# in this case oauth2-proxy is going to visit
+oidc_issuer_url="https://{{domain_keycloak}}/realms/{{primary_domain}}"
+provider="oidc"
+provider_display_name="Keycloak"
--- a/roles/docker-openproject/tasks/main.yml
+++ b/roles/docker-openproject/tasks/main.yml
@ -8,7 +8,6 @@
 - name: "include tasks update-repository-with-docker-compose.yml"
  include_tasks: update-repository-with-docker-compose.yml

-
 - name: "Transfering Gemfile.plugins to {{docker_compose_instance_directory}}"
  copy:
    src: Gemfile.plugins
--- a/roles/docker-openproject/templates/docker-compose.yml.j2
+++ b/roles/docker-openproject/templates/docker-compose.yml.j2
@ -22,6 +22,8 @@ services:

 {% include 'templates/docker/services/' + database_type + '.yml.j2' %}

+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
  cache:
    image: memcached
    container_name: openproject-memcached
@ -38,7 +40,7 @@ services:
    container_name: openproject-proxy
    command: "./docker/prod/proxy"
    ports:
-      - "${PORT}:80"
+      - "127.0.0.1:{{http_port}}:80"
    environment:
      APP_HOST: web
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
@ -79,8 +81,8 @@ services:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      AUTOHEAL_CONTAINER_LABEL: autoheal
-      AUTOHEAL_START_PERIOD: 600
-      AUTOHEAL_INTERVAL: 30
+      AUTOHEAL_START_PERIOD:    600
+      AUTOHEAL_INTERVAL:        30

  worker:
    <<: *app
--- a/roles/docker-openproject/templates/env.j2
+++ b/roles/docker-openproject/templates/env.j2
@ -8,7 +8,6 @@
 #
 OPENPROJECT_HTTPS=true
 OPENPROJECT_HOST__NAME={{domain}}
-PORT=127.0.0.1:{{http_port}}
 OPENPROJECT_RAILS__RELATIVE__URL__ROOT=
 IMAP_ENABLED=false
 POSTGRES_PASSWORD="{{ database_password }}"
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@ -1,8 +1,14 @@
-docker_compose_project_name:        "openproject"
-repository_directory:               "{{ path_docker_compose_instances }}{{docker_compose_project_name}}/"
-docker_compose_instance_directory:  "{{repository_directory}}compose/"
-database_password:                  "{{openproject_database_password}}"
-repository_address:                 "https://github.com/opf/openproject-deploy"
-database_type:                      "postgres"
+docker_compose_project_name:                  "openproject"
+repository_directory:                         "{{ path_docker_compose_instances }}{{docker_compose_project_name}}/"
+docker_compose_instance_directory:            "{{repository_directory}}compose/"
+database_password:                            "{{openproject_database_password}}"
+repository_address:                           "https://github.com/opf/openproject-deploy"
+database_type:                                "postgres"
 # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
-dummy_volume:                       "{{repository_directory}}dummy_volume"
+dummy_volume:                                 "{{repository_directory}}dummy_volume"
+
+# OAuth2 Proxy Configuration
+oauth2_proxy_client_secret:                   "{{openproject_oauth2_proxy_client_secret}}"
+oauth2_proxy_cookie_secret:                   "{{openproject_oauth2_proxy_cookie_secret}}"
+oauth2_proxy_upstream_application_and_port:   "proxy:80"
+oauth2_proxy_active:                          true
--- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
@ -2,13 +2,32 @@ server
 {
  server_name {{domain}};

-  # Include Matomo Tracking Code
+  {% if oauth2_proxy_active | bool %}
+  # Include OAuth2 Proxy
+  # Raise the maximal header size.
+  # Keycloak uses huge headers for authentification 
+  proxy_buffer_size 16k;
+  proxy_buffers 8 16k;
+  proxy_busy_buffers_size 16k;
+  large_client_header_buffers 4 16k;
+
+  # OAuth2-Proxy-Endpoint
+  location /oauth2/ {
+      proxy_pass http://127.0.0.1:{{oauth2_proxy_port}};
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+  }
+  {% endif %}
+
  {% if nginx_matomo_tracking | bool %}
+    # Include Matomo Tracking Code
    {% include 'roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2' %}
  {% endif %}

-  # Additional Domain Specific Configuration
  {% if nginx_docker_reverse_proxy_extra_configuration is defined %}
+    # Additional Domain Specific Configuration
    {{nginx_docker_reverse_proxy_extra_configuration}}
  {% endif %}

--- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
@ -1,5 +1,10 @@
 location /
 {
+  {% if oauth2_proxy_active | bool %}
+  auth_request /oauth2/auth;
+  error_page 401 = /oauth2/start;
+  {% endif %}
+
  proxy_pass http://127.0.0.1:{{http_port}}/;

  # headers
--- a/tasks/nginx-docker-proxy-domain.yml
+++ b/tasks/nginx-docker-proxy-domain.yml
@ -3,3 +3,8 @@

 - name: "include task create-domain-conf.yml"
  include_tasks: create-domain-conf.yml
+
+- name: include the docker-oauth2-proxy role
+  include_role:
+    name: docker-oauth2-proxy
+  when: oauth2_proxy_active | bool
--- a/tasks/update-repository-with-files.yml
+++ b/tasks/update-repository-with-files.yml
@ -1,3 +1,14 @@
+- name: "Add {{oauth2_configuration_file}} to detached_files if oauth2_proxy_active is true"
+  ansible.builtin.set_fact:
+    detached_files: >-
+      {{
+        (detached_files | default([])) +
+        [oauth2_configuration_file]
+        if oauth2_configuration_file not in (detached_files | default([]))
+        else detached_files | default([])
+      }}
+  when: oauth2_proxy_active | default(false)
+
 - name: "backup detached files"
  command: >
    mv "{{docker_compose_instance_directory}}{{ item }}" "/tmp/{{docker_compose_project_name}}-{{ item }}.backup"
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	08b56ec7cd	refactored oauth2-proxy	2025-01-26 16:14:30 +01:00
Kevin Veen-Birkenbach	a53ea09da6	Merge branch 'master' of github.com:kevinveenbirkenbach/cymais	2025-01-26 15:15:53 +01:00
Kevin Veen-Birkenbach	c35eb10343	implemented functioning oauth2-proxy	2025-01-26 15:15:23 +01:00
Kevin Veen-Birkenbach	7b9959af21	Implemented not working oauth2-proxy draft	2025-01-26 13:25:39 +01:00
				`@ -0,0 +1 @@`
				`https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment/keycloak/oauth2-proxy-realm.json`