Replaced OIDC login for gitea with oauth2 proxy and LDAP to guaranty correct username etc.

Implemented OIDC für LDAP
2025-09-09 11:47:14 +02:00 · 2025-06-27 02:19:12 +02:00 · 2025-06-26 21:16:07 +02:00
38 changed files with 375 additions and 46 deletions
--- a/cli/utils/manager/inventory.py
+++ b/cli/utils/manager/inventory.py
@@ -105,6 +105,7 @@ class InventoryManager:
        """Generate a value based on the provided algorithm."""
        if algorithm == "random_hex":
            return secrets.token_hex(64)
+        
        if algorithm == "sha256":
            return hashlib.sha256(secrets.token_bytes(32)).hexdigest()
        if algorithm == "sha1":
@@ -116,4 +117,7 @@ class InventoryManager:
            return self.generate_secure_alphanumeric(64)
        if algorithm == "base64_prefixed_32":
            return "base64:" + base64.b64encode(secrets.token_bytes(32)).decode()
+        if algorithm == "random_hex_16":
+            # 16 Bytes → 32 Hex-Characters
+            return secrets.token_hex(16)
        return "undefined"
--- a/group_vars/all/08_ports.yml
+++ b/group_vars/all/08_ports.yml
@@ -13,6 +13,7 @@ ports:
      pgadmin:          4185
      phpldapadmin:     4186
      fusiondirectory:  4187
+      gitea:            4188
    ldap:
      ldap:             389
    http:
--- a/group_vars/all/12_iam.yml
+++ b/group_vars/all/12_iam.yml
@@ -41,6 +41,7 @@ defaults_oidc:
 _ldap_dn_base:            "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
 _ldap_server_port:        "{% if applications.ldap.network.docker | bool %}{{ ports.localhost.ldap.ldap }}{% else %}{{ ports.localhost.ldaps.ldap }}{% endif %}"
 _ldap_user_id:            "uid"
+_ldap_filters_users_all:  "(|(objectclass=inetOrgPerson))"

 ldap:
  # Distinguished Names (DN)
@@ -58,12 +59,17 @@ ldap:
  attributes:
    # Attribut to identify the user
    user_id:            "{{ _ldap_user_id }}"
+    mail:               "mail"
+    fullname:           "cn"
+    firstname:          "givenname"
+    surname:            "sn"
  # Password to access dn.bind
  bind_credential:      "{{applications.ldap.credentials.administrator_database_password}}"
  server:
    domain:             "{{applications.ldap.hostname if applications.ldap.network.docker | bool else domains.ldap}}" # Mapping for public or locale access
    port:               "{{_ldap_server_port}}"
    uri:                "{% if applications.ldap.network.docker | bool %}ldap://{{ applications.ldap.hostname }}{% else %}ldaps://{{ domains.ldap }}{% endif %}:{{ _ldap_server_port }}"
+    security:           "" #TLS, SSL - Leave empty for none
  network:
    local:              "{{applications.ldap.network.docker}}" # Uses the application configuration to define if local network should be available or not
  user_objects:
@@ -71,5 +77,9 @@ ldap:
    - inetOrgPerson     # Extended Internet / intranet person – RFC 2798
    - posixAccount      # POSIX/UNIX login attributes (uidNumber, gidNumber …) – RFC 2307
    - nextcloudUser     # Nextcloud-specific auxiliary attributes (nextcloudQuota, nextcloudEnabled) – Nextcloud schema
+    - ldapPublicKey     # Necessary for setting SSH keys for gitea
+
  filters:
-    user_filter:        "(&(|(objectclass=inetOrgPerson))({{_ldap_user_id}}=%{{_ldap_user_id}}))"
+    users:
+      login:            "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))"
+      all:              "{{ _ldap_filters_users_all }}"
--- a/roles/docker-bigbluebutton/templates/env.j2
+++ b/roles/docker-bigbluebutton/templates/env.j2
@@ -158,7 +158,7 @@ OFFICE365_HD=
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=

-{% if applications[application_id].features.ldap | bool %}
+{% if applications | is_feature_enabled('ldap',application_id) %}
 # LDAP Login Provider (optional)
 #
 # You can enable LDAP authentication by providing values for the variables below.
--- a/roles/docker-discourse/templates/discourse_application.yml.j2
+++ b/roles/docker-discourse/templates/discourse_application.yml.j2
@@ -165,7 +165,7 @@ run:
  - exec: rails r "SiteSetting.ldap_bind_password = '{{ ldap.bind_credential }}'"

  # LDAP additional configuration
-  - exec: rails r "SiteSetting.ldap_user_filter = '{{ ldap.filters.user_filter }}'"
+  - exec: rails r "SiteSetting.ldap_user_filter = '{{ ldap.filters.users.login }}'"
  - exec: rails r "SiteSetting.ldap_group_base_dn = '{{ ldap.dn.groups }}'"
  - exec: rails r "SiteSetting.ldap_group_member_check = 'memberUid'"

--- a/roles/docker-espocrm/templates/env.j2
+++ b/roles/docker-espocrm/templates/env.j2
@@ -61,12 +61,12 @@ ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_ADDRESS={{ users['no-reply'].email }}
 # LDAP settings (optional)
 # Applied only if the feature flag is true
 # ------------------------------------------------
-{% if applications[application_id].features.ldap | bool %}
+{% if applications | is_feature_enabled('ldap',application_id) %}
 ESPOCRM_CONFIG_AUTHENTICATION_METHOD=Ldap
 ESPOCRM_CONFIG_LDAP_HOST={{ ldap.server.domain }}
 ESPOCRM_CONFIG_LDAP_PORT={{ ldap.server.port }}
 # ESPOCRM_CONFIG_LDAP_SECURITY: "", SSL or TLS
-ESPOCRM_CONFIG_LDAP_SECURITY=          
+ESPOCRM_CONFIG_LDAP_SECURITY={{ ldap.server.security }}         
 ESPOCRM_CONFIG_LDAP_USERNAME={{ ldap.dn.administrator }}
 ESPOCRM_CONFIG_LDAP_PASSWORD={{ ldap.bind_credential }}
 ESPOCRM_CONFIG_LDAP_BASE_DN={{ ldap.dn.users }}
--- a/roles/docker-funkwhale/templates/env.j2
+++ b/roles/docker-funkwhale/templates/env.j2
@@ -100,7 +100,7 @@ DJANGO_SETTINGS_MODULE=config.settings.production
 # Generate one using `openssl rand -base64 45`, for example
 DJANGO_SECRET_KEY={{applications[application_id].credentials.django_secret}}

-{% if applications[application_id].features.ldap | bool %}
+{% if applications | is_feature_enabled('ldap',application_id) %}
 # LDAP settings
 # Use the following options to allow authentication on your Funkwhale instance
 # using a LDAP directory.
--- a/roles/docker-gitea/Administration.md
+++ b/roles/docker-gitea/Administration.md
@@ -27,3 +27,12 @@ To access the database execute
 ```
 ## bash in application
 docker-compose exec -it application /bin/sh
+
+## user management
+
+### Change password
+```bash 
+docker-compose exec --user git application gitea admin user change-password \
+  --username administrator \
+  --password "MyNewSecureP@ssw0rd"
+```
--- a/roles/docker-gitea/meta/schema.yml
+++ b/roles/docker-gitea/meta/schema.yml
@@ -1 +1,5 @@
-
+credentials:
+  oauth2_proxy_cookie_secret:
+    description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
+    algorithm: "random_hex_16"
+    validation: "^[a-f0-9]{32}$"
--- a/roles/docker-gitea/tasks/cleanup.yml
+++ b/roles/docker-gitea/tasks/cleanup.yml
@@ -0,0 +1,7 @@
+- name: Execute OIDC Cleanup Routine
+  include_tasks: cleanup/oidc.yml
+  when: not (applications | is_feature_enabled('oidc', application_id))
+
+- name: Execute LDAP Cleanup Routine
+  include_tasks: cleanup/ldap.yml
+  when: not (applications | is_feature_enabled('ldap', application_id))
--- a/roles/docker-gitea/tasks/cleanup/ldap.yml
+++ b/roles/docker-gitea/tasks/cleanup/ldap.yml
@@ -0,0 +1,22 @@
+- name: "Lookup existing LDAP auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth list \
+      | awk -v name="LDAP ({{ primary_domain }})" '$0 ~ name {print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_source_id_raw
+  failed_when: false
+  changed_when: false
+
+- name: "Delete existing LDAP auth source if present"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth delete --id {{ ldap_source_id_raw.stdout }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  when: ldap_source_id_raw.stdout != ""
+  register: ldap_delete
+  failed_when: ldap_delete.rc != 0
--- a/roles/docker-gitea/tasks/cleanup/oidc.yml
+++ b/roles/docker-gitea/tasks/cleanup/oidc.yml
@@ -0,0 +1,23 @@
+
+- name: "Lookup existing OIDC auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth list \
+      | awk -v name="{{ oidc.button_text }}" '$0 ~ name {print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: oidc_source_id_raw
+  failed_when: false
+  changed_when: false
+
+- name: "Delete existing OIDC auth source if present"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth delete --id {{ oidc_source_id_raw.stdout }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  when: oidc_source_id_raw.stdout != ""
+  register: oidc_delete
+  failed_when: oidc_delete.rc != 0
--- a/roles/docker-gitea/tasks/main.yml
+++ b/roles/docker-gitea/tasks/main.yml
@@ -11,3 +11,55 @@
    http_port:   "{{ ports.localhost.http[application_id] }}"

 - include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/create-files.yml"
+
+- name: Wait for Gitea HTTP endpoint
+  wait_for:
+    host: "127.0.0.1"
+    port: "{{ ports.localhost.http[application_id] }}"
+    delay: 5
+    timeout: 300
+
+- name: "Run DB migrations inside Gitea container"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      /app/gitea/gitea migrate
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: migrate
+  changed_when: "'migrations completed' in migrate.stdout"
+
+- name: "Create initial admin user"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      /app/gitea/gitea admin user create \
+        --admin \
+        --username "{{ users.administrator.username }}" \
+        --password "{{ users.administrator.password }}" \
+        --email    "{{ users.administrator.email }}" \
+        -c /data/gitea/conf/app.ini
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: create_admin
+  changed_when: "'has been successfully created' in create_admin.stdout"
+  failed_when: create_admin.rc != 0 and 'user already exists' not in create_admin.stderr
+
+- name: "Wait until Gitea setup and migrations are ready"
+  uri:
+    url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version"
+    method: GET
+    status_code: 200
+    return_content: no
+  register: gitea_ready
+  until: gitea_ready.status == 200
+  retries: 20
+  delay: 5
+  when: applications | is_feature_enabled('oidc', application_id) or applications | is_feature_enabled('ldap', application_id)
+
+- name: Execute Setup Routines
+  include_tasks: setup.yml
+
+- name: Execute Cleanup Routines
+  include_tasks: cleanup.yml 
+  when: mode_cleanup
--- a/roles/docker-gitea/tasks/setup.yml
+++ b/roles/docker-gitea/tasks/setup.yml
@@ -0,0 +1,7 @@
+- name: Execute OIDC Setup Routine
+  include_tasks: setup/oidc.yml
+  when: applications | is_feature_enabled('oidc', application_id)
+
+- name: Execute LDAP Setup Routine
+  include_tasks: setup/ldap.yml
+  when: applications | is_feature_enabled('ldap', application_id)
--- a/roles/docker-gitea/tasks/setup/ldap.yml
+++ b/roles/docker-gitea/tasks/setup/ldap.yml
@@ -0,0 +1,66 @@
+- name: "Add LDAP Authentication Source"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth add-ldap \
+        --name "LDAP ({{ primary_domain }})" \
+        --host "{{ ldap.server.domain }}" \
+        --port {{ ldap.server.port }} \
+        --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
+        --bind-dn "{{ ldap.dn.administrator }}" \
+        --bind-password "{{ ldap.bind_credential }}" \
+        --user-search-base "{{ ldap.dn.users }}" \
+        --user-filter "{{ ldap.filters.users.login }}" \
+        --username-attribute "{{ ldap.attributes.user_id }}" \
+        --firstname-attribute "{{ ldap.attributes.firstname }}" \
+        --surname-attribute "{{ ldap.attributes.surname }}" \
+        --email-attribute "{{ ldap.attributes.mail }}" \
+        --synchronize-users      # turns on per-login sync
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_manage
+  failed_when: ldap_manage.rc != 0 and "login source already exists" not in ldap_manage.stderr
+
+- name: "Lookup existing LDAP auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth list \
+      | tail -n +2 \
+      | grep -F "LDAP ({{ primary_domain }})" \
+      | awk '{print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_source_id_raw
+  failed_when:
+    - ldap_source_id_raw.rc != 0
+    - ldap_source_id_raw.stdout == ""
+  changed_when: false
+
+- name: "Set LDAP source ID fact"
+  set_fact:
+    ldap_source_id: "{{ ldap_source_id_raw.stdout }}"
+
+- name: "Update LDAP Authentication Source"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth update-ldap \
+        --id {{ ldap_source_id }} \
+        --name "LDAP ({{ primary_domain }})" \
+        --host "{{ ldap.server.domain }}" \
+        --port {{ ldap.server.port }} \
+        --security-protocol "{{ ldap.server.security | trim or 'unencrypted' }}" \
+        --bind-dn "{{ ldap.dn.administrator }}" \
+        --bind-password "{{ ldap.bind_credential }}" \
+        --user-search-base "{{ ldap.dn.users }}" \
+        --user-filter "(&(objectClass=inetOrgPerson)(uid=%s))" \
+        --username-attribute "{{ ldap.attributes.user_id }}" \
+        --firstname-attribute "{{ ldap.attributes.firstname }}" \
+        --surname-attribute "{{ ldap.attributes.surname }}" \
+        --email-attribute "{{ ldap.attributes.mail }}" \
+        --synchronize-users
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_manage
+  failed_when: ldap_manage.rc != 0
--- a/roles/docker-gitea/tasks/setup/oidc.yml
+++ b/roles/docker-gitea/tasks/setup/oidc.yml
@@ -0,0 +1,52 @@
+- name: "Add Keycloak OIDC Provider"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth add-oauth \
+        --provider openidConnect \
+        --name     "{{ oidc.button_text }}" \
+        --key      "{{ oidc.client.id }}" \
+        --secret   "{{ oidc.client.secret }}" \
+        --auto-discover-url "{{ oidc.client.discovery_document }}" \
+        --scopes   "openid profile email"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: oidc_manage
+  failed_when: oidc_manage.rc != 0 and "login source already exists" not in oidc_manage.stderr
+
+- name: "Lookup existing Keycloak auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      /app/gitea/gitea admin auth list \
+      | tail -n +2 \
+      | grep -F "{{ oidc.button_text }}" \
+      | awk '{print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: oidc_source_id_raw
+  failed_when:
+    - oidc_source_id_raw.rc != 0
+    - oidc_source_id_raw.stdout == ""
+  changed_when: false
+
+- name: "Set Keycloak source ID fact"
+  set_fact:
+    oidc_source_id: "{{ oidc_source_id_raw.stdout }}"
+
+- name: "Update Keycloak OIDC Provider"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth update-oauth \
+        --id {{ oidc_source_id }}\
+        --provider openidConnect \
+        --name     "{{ oidc.button_text }}" \
+        --key      "{{ oidc.client.id }}" \
+        --secret   "{{ oidc.client.secret }}" \
+        --auto-discover-url "{{ oidc.client.discovery_document }}" \
+        --scopes   "openid profile email"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: oidc_manage
+  failed_when: oidc_manage.rc != 0
--- a/roles/docker-gitea/templates/docker-compose.yml.j2
+++ b/roles/docker-gitea/templates/docker-compose.yml.j2
@@ -2,6 +2,8 @@ services:

 {% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %}

+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
  application:
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
    image: "{{ applications[application_id].images.gitea }}"
--- a/roles/docker-gitea/templates/env.j2
+++ b/roles/docker-gitea/templates/env.j2
@@ -1,19 +1,29 @@
 # Configuration
 # @see https://docs.gitea.com/next/administration/config-cheat-sheet#repository-repository

+# General
+DOMAIN={{domains | get_domain(application_id)}}
+RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
+ROOT_URL="{{ web_protocol }}://{{domains | get_domain(application_id)}}/"
+APP_NAME="{{ applications[application_id].title }}"
 USER_UID=1000
 USER_GID=1000
+
+# Logging configuration
+GITEA__log__MODE=console
+GITEA__log__LEVEL={% if enable_debug | bool %}Debug{% else %}Info{% endif %}    
+
+# Database
 DB_TYPE=mysql
 DB_HOST={{database_host}}:{{database_port}}
 DB_NAME={{database_name}}
 DB_USER={{database_username}}
 DB_PASSWD={{database_password}}
+
+# SSH
 SSH_PORT={{ports.public.ssh[application_id]}}
 SSH_LISTEN_PORT=22
-DOMAIN={{domains | get_domain(application_id)}}
 SSH_DOMAIN={{domains | get_domain(application_id)}}
-RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
-ROOT_URL="{{ web_protocol }}://{{domains | get_domain(application_id)}}/"

 # Mail Configuration 
 # @see https://docs.gitea.com/next/installation/install-with-docker#managing-deployments-with-environment-variables
@@ -31,3 +41,26 @@ GITEA__mailer__PASSWD={{ users['no-reply'].mailu_token }}
 GITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER={{ applications[application_id].configuration.repository.enable_push_create_user | lower }}
 GITEA__REPOSITORY__DEFAULT_PRIVATE={{ applications[application_id].configuration.repository.default_private | lower }}
 GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications[application_id].configuration.repository.default_push_create_private | lower }}
+
+GITEA__security__INSTALL_LOCK=true # Locks the installation page
+
+# (De)activate OIDC
+GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }}
+GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }}
+
+{% if applications | is_feature_enabled('oidc',application_id) or applications | is_feature_enabled('ldap',application_id) %}
+
+EXTERNAL_USER_DISABLE_FEATURES=deletion,manage_credentials,change_username,change_full_name
+
+{% if applications | is_feature_enabled('ldap',application_id) %}
+GITEA__ldap__SYNC_USER_ON_LOGIN=true
+{% endif %}
+
+{% endif %}
+
+# ------------------------------------------------
+# Disable user self-registration
+# ------------------------------------------------
+# After this only admins can create accounts
+GITEA__service__DISABLE_REGISTRATION=false
+
--- a/roles/docker-gitea/vars/configuration.yml
+++ b/roles/docker-gitea/vars/configuration.yml
@@ -1,3 +1,4 @@
+title:                            "CyMaIS Code Hub"
 images:
  gitea:                          "gitea/gitea:latest"
 configuration:
@@ -7,9 +8,18 @@ configuration:
    default_push_create_private:  True      # Default private when creating a new repository with push-to-create.
 features:
  matomo:                         true
-  css:                            true
+  css:                            false
  portfolio_iframe:               true
  central_database:               true
+  ldap:                           true
+  oauth2:                         true
+  oidc:                           false # Deactivated because users aren't auto-created. 
+oauth2_proxy:
+  application:                    "application"
+  port:                           "3000"
+  acl:
+    blacklist:
+      - "/user/login"
 csp:
  flags:
    script-src-elem:
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@@ -1944,7 +1944,7 @@
                  "true"
                ],
                "ldap.full.name.attribute": [
-                  "cn"
+                  "{{ ldap.attributes.fullname }}"
                ]
              }
            },
--- a/roles/docker-lam/meta/schema.yml
+++ b/roles/docker-lam/meta/schema.yml
@@ -1,7 +1,7 @@
 credentials:
  oauth2_proxy_cookie_secret:
-    description: "Secret used to encrypt OAuth2 proxy cookies (hex-encoded, 16 bytes)"
-    algorithm: "sha256"
+    description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
+    algorithm: "random_hex_16"
    validation: "^[a-f0-9]{32}$"

  administrator_password:
--- a/roles/docker-lam/vars/configuration.yml
+++ b/roles/docker-lam/vars/configuration.yml
@@ -18,6 +18,8 @@ csp:
    script-src-elem:
      unsafe-inline:            true
      unsafe-eval:              true
+    script-src:
+      unsafe-inline:            true
 domains:
  aliases:
    - "ldap.{{primary_domain}}"
--- a/roles/docker-ldap/tasks/add_user_objects.yml
+++ b/roles/docker-ldap/tasks/add_user_objects.yml
@@ -0,0 +1,22 @@
+- name: "1) Gather all existing user DNs"
+  community.general.ldap_search:
+    server_uri: "{{ ldap.server.uri }}"
+    bind_dn:    "{{ ldap.dn.administrator }}"
+    bind_pw:    "{{ ldap.bind_credential }}"
+    base:       "{{ ldap.dn.users }}"
+    filter:     "{{ ldap.filters.users.all }}"
+    attributes: ["dn"]
+  register: ldap_existing_users
+
+- name: "2) Update each existing user with all user_objects"
+  community.general.ldap_attrs:
+    server_uri: "{{ ldap.server.uri }}"
+    bind_dn:    "{{ ldap.dn.administrator }}"
+    bind_pw:    "{{ ldap.bind_credential }}"
+    dn:         "{{ item.dn }}"
+    attributes:
+      objectClass: "{{ ldap.user_objects }}"
+    state: exact
+  loop: "{{ ldap_existing_users.entries }}"
+  loop_control:
+    label: "{{ item.dn }}"
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@@ -114,3 +114,6 @@
    - data
  loop_control:
    loop_var: folder
+
+- name: "Add Objects to all users"
+  include_tasks: add_user_objects.yml
--- a/roles/docker-mailu/templates/env.j2
+++ b/roles/docker-mailu/templates/env.j2
@@ -165,7 +165,7 @@ AUTH_REQUIRE_TOKENS=True
 # @see https://github.com/heviat/Mailu-OIDC/tree/master

 # Enable OpenID Connect. Possible values: True, False
-OIDC_ENABLED={{ applications[application_id].features.oidc | string | capitalize }}
+OIDC_ENABLED={{ applications | is_feature_enabled('oidc',application_id) | string | capitalize }}

 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
--- a/roles/docker-mastodon/templates/env.j2
+++ b/roles/docker-mastodon/templates/env.j2
@@ -59,7 +59,7 @@ SMTP_FROM_ADDRESS=Mastodon <{{ users['no-reply'].email }}>
 # @see https://github.com/mastodon/mastodon/pull/16221
 # @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso

-OIDC_ENABLED={{ applications[application_id].features.oidc | string | lower }}
+OIDC_ENABLED={{ applications | is_feature_enabled('oidc',application_id) | string | lower }}
 OIDC_DISPLAY_NAME="{{oidc.button_text}}"
 OIDC_ISSUER={{oidc.client.issuer_url}}
 OIDC_DISCOVERY=true
--- a/roles/docker-matomo/meta/schema.yml
+++ b/roles/docker-matomo/meta/schema.yml
@@ -6,6 +6,6 @@ credentials:
    validation: "^[a-f0-9]{64}$"

  oauth2_proxy_cookie_secret:
-    description: "Secret used to encrypt cookies in the OAuth2 Proxy (hex-encoded, 16 bytes)"
-    algorithm: "sha256"
+    description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
+    algorithm: "random_hex_16"
    validation: "^[a-f0-9]{32}$"
--- a/roles/docker-nextcloud/templates/config/oidc.config.php.j2
+++ b/roles/docker-nextcloud/templates/config/oidc.config.php.j2
@@ -146,7 +146,7 @@ return array (
    //
    // The `id` attribute in `oidc_login_attributes` must return the
    // "Internal Username" (see expert settings in LDAP integration)
-    'oidc_login_proxy_ldap' => {{applications[application_id].features.ldap | string | lower}},
+    'oidc_login_proxy_ldap' => {{ applications | is_feature_enabled('ldap',application_id) | string | lower }},

    // Disable creation of users new to Nextcloud from OIDC login.
    // A user may be known to the IdP but not (yet) known to Nextcloud.
--- a/roles/docker-nextcloud/vars/plugins/user_ldap.yml
+++ b/roles/docker-nextcloud/vars/plugins/user_ldap.yml
@@ -107,7 +107,7 @@ plugin_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_login_filter"
-    configvalue: "{{ ldap.filters.user_filter }}"
+    configvalue: "{{ ldap.filters.users.login }}"
  -
    appid: "user_ldap"
    configkey: "s01ldap_login_filter_mode"
@@ -163,7 +163,7 @@ plugin_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_userlist_filter"
-    configvalue: "(|(objectclass=inetOrgPerson))"
+    configvalue: "{{ ldap.filters.users.login }}"
  -
    appid: "user_ldap"
    configkey: "s01use_memberof_to_detect_membership"
--- a/roles/docker-openproject/meta/schema.yml
+++ b/roles/docker-openproject/meta/schema.yml
@@ -2,5 +2,5 @@ credentials:

  oauth2_proxy_cookie_secret:
    description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
-    algorithm: "sha256"
+    algorithm: "random_hex_16"
    validation: "^[a-f0-9]{32}$"
--- a/roles/docker-pgadmin/meta/schema.yml
+++ b/roles/docker-pgadmin/meta/schema.yml
@@ -1,7 +1,7 @@
 credentials:
  oauth2_proxy_cookie_secret:
-    description: "Secret used by OAuth2 Proxy to encrypt browser cookies (16 bytes hex-encoded)"
-    algorithm: "sha256"
+    description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
+    algorithm: "random_hex_16"
    validation: "^[a-f0-9]{32}$"

  administrator_password:
--- a/roles/docker-phpldapadmin/meta/schema.yml
+++ b/roles/docker-phpldapadmin/meta/schema.yml
@@ -1,5 +1,5 @@
 credentials:
  oauth2_proxy_cookie_secret:
-    description: "Secret used by OAuth2 Proxy to encrypt session cookies (16 bytes hex-encoded)"
-    algorithm: "sha256"
+    description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
+    algorithm: "random_hex_16"
    validation: "^[a-f0-9]{32}$"
--- a/roles/docker-phpmyadmin/meta/schema.yml
+++ b/roles/docker-phpmyadmin/meta/schema.yml
@@ -1,5 +1,5 @@
 credentials:
  oauth2_proxy_cookie_secret:
-    description: "Secret used by OAuth2 Proxy to encrypt session cookies (16 bytes hex-encoded)"
-    algorithm: "sha256"
+    description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
+    algorithm: "random_hex_16"
    validation: "^[a-f0-9]{32}$"
--- a/roles/docker-pixelfed/templates/env.j2
+++ b/roles/docker-pixelfed/templates/env.j2
@@ -140,7 +140,7 @@ ENABLE_CONFIG_CACHE=true
 ###################################
 # @see https://github.com/pixelfed/pixelfed/commit/b3c27815788e4b47e7eb3fca727d817512cf26c2#diff-66e408190a301e81b5f1c079463487c54a6452c4944dc5ae80770f50101283ff

-PF_OIDC_ENABLED={{ applications[application_id].features.oidc | string | lower }}
+PF_OIDC_ENABLED={{ applications | is_feature_enabled('oidc',application_id) | string | lower }}
 PF_OIDC_AUTHORIZE_URL="{{oidc.client.authorize_url}}"
 PF_OIDC_TOKEN_URL="{{oidc.client.token_url}}"
 PF_OIDC_PROFILE_URL="{{ oidc.client.user_info_url }}"
--- a/roles/docker-taiga/templates/docker-compose.yml.j2
+++ b/roles/docker-taiga/templates/docker-compose.yml.j2
@@ -9,7 +9,7 @@ services:
      - media-data:/taiga-back/media
      # - ./config.py:/taiga-back/settings/config.py

-{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}

      - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro

@@ -22,7 +22,7 @@ services:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started
-{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
    
    command: >
      /bin/sh -c "
@@ -42,7 +42,7 @@ services:
      - media-data:/taiga-back/media
      # - ./config.py:/taiga-back/settings/config.py

-{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}

 {% for item in settings_files %}
      - {{ docker_compose.directories.config }}taiga-{{ item }}.py:/taiga-back/settings/{{ item }}.py:ro
@@ -57,7 +57,7 @@ services:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started
-{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
    
    command: >
      /bin/sh -c "
--- a/roles/docker-taiga/templates/env.j2
+++ b/roles/docker-taiga/templates/env.j2
@@ -47,7 +47,7 @@ MAX_AGE             =   360
 # Taiga's Telemetry - Variable to enable or disable the anonymous telemetry
 ENABLE_TELEMETRY    =   True

-{% if applications[application_id].features.oidc %}
+{% if applications | is_feature_enabled('oidc',application_id) %}

 {% if applications[application_id].oidc.flavor == 'taigaio' %}

--- a/roles/docker-yourls/meta/schema.yml
+++ b/roles/docker-yourls/meta/schema.yml
@@ -10,6 +10,6 @@ credentials:
    validation: "^\\$2[aby]\\$.{56}$"

  oauth2_proxy_cookie_secret:
-    description: "Secret used by OAuth2 Proxy to encrypt browser cookies (16 bytes hex-encoded)"
-    algorithm: "sha256"
+    description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
+    algorithm: "random_hex_16"
    validation: "^[a-f0-9]{32}$"
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	bb73e948d3	Replaced OIDC login for gitea with oauth2 proxy and LDAP to guaranty correct username etc.	2025-06-27 02:19:12 +02:00
Kevin Veen-Birkenbach	6d4723b321	Implemented OIDC für LDAP	2025-06-26 21:16:07 +02:00