kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-02 15:39:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
48cd7743b59a58b95c736cf902e76ac869f26905
computer-playbook/roles/web-app-oauth2-proxy
History
Kevin Veen-Birkenbach c0e26275f8 Refactor defaults generation, credential creation, and inventory management 
### Overview
This commit introduces a broad set of improvements across the defaults
generator, credential creation subsystem, inventory creation workflow,
and InventoryManager core logic.

### Major Changes
- Support empty or  config/main.yml in defaults generator and ensure that
  applications with empty configs are still included in defaults_applications.
- Add '--snippet' and '--allow-empty-plain' modes to create/credentials.py
  with non-destructive merging and correct plain-secret handling.
- Ensure empty strings for 'plain' credentials are never encrypted.
- Update InventoryManager to fully support allow_empty_plain and prevent
  accidental overwriting or encrypting existing VaultScalar or dict values.
- Add full-size implementation of cli/create/inventory.py including
  dynamic inventory building, role filtering, host_vars management, and
  parallelised credential snippet generation.
- Fix schemas (Magento, Nextcloud, OAuth2-Proxy, keyboard-color, etc.) to
  align with the new credential model and avoid test failures.
- Improve get_app_conf consistency by ensuring credentials.* paths are
  always resolvable for applications even when config/main.yml is empty.

### Added Test Coverage
- Unit tests for defaults generator handling empty configs.
- Full test suite for create/inventory.py including merge logic and
  vault-safe host_vars loading.
- Extensive tests for InventoryManager: plain-secret behavior,
  vault handling, and recursion logic.
- Update or remove outdated tests referencing old schema behaviour.

### Context
This commit is associated with a refactoring and debugging session documented here:
https://chatgpt.com/share/692ec0e1-5018-800f-b568-d09a53e9d0ee
2025-12-02 11:54:55 +01:00
..
config
Added matomo to roles and optimized features configuration
2025-11-27 14:46:04 +01:00
meta
schema
Refactor defaults generation, credential creation, and inventory management
2025-12-02 11:54:55 +01:00
tasks
templates
vars
README.md
Setup.md
TODO.md

README.md

Docker OAuth2 Proxy Role

Welcome to the Docker OAuth2 Proxy Role! 🌟 This role contains helper functions to set up an OAuth2 proxy using OAuth2 Proxy, a tool designed to secure applications by protecting them with OAuth2 authentication. 💡

Overview

The OAuth2 Proxy is used to shield specific web applications from unauthorized access by requiring users to authenticate via an external identity provider, such as Keycloak. This role simplifies the setup process by providing templated configurations and tasks to integrate the OAuth2 Proxy with Docker Compose and Keycloak.

Features

  • 🚀 Automated configuration transfer to your Docker Compose instance.
  • 🔧 Template files for a fully customizable proxy setup.
  • 🔐 Integration with Keycloak as an OpenID Connect (OIDC) provider.
  • 🛡️ Configurations to secure applications and allow cookie-based authentication across subdomains.

How It Works

The role includes the following key components:

  1. Templates:

    • oauth2-proxy-keycloak.cfg.j2: A configuration file for the OAuth2 Proxy, pre-integrated with Keycloak as an identity provider.
    • container.yml.j2: A container definition for the OAuth2 Proxy, specifying the image, ports, volumes, and restart policies.

  2. Tasks:

    • A task to transfer the templated configuration to the Docker Compose instance directory.
    • A notifier to trigger the setup of the Docker Compose project after transferring the configuration.

  3. Integration:

    • Keycloak is configured as the OIDC provider, enabling seamless authentication and authorization.
    • Upstream application support ensures traffic is securely proxied to the correct destination.

Why Use This Proxy?

Using this proxy ensures that only authenticated users can access your protected applications. By leveraging OAuth2, you can:

  • Secure applications with minimal configuration.
  • Enable single sign-on (SSO) and centralized user management.
  • Restrict access to specific domains and subdomains.

Dependencies

Before using this role, ensure you have the following:

  • Docker and Docker Compose installed on your system.
  • A running Keycloak instance configured with the appropriate realm and clients.

Learn More

To learn more about OAuth2 Proxy, check out the official documentation.

Author

This role was created and maintained by Kevin Veen-Birkenbach. 🌍 You can learn more about Kevin and his projects at veen.world.

Protect your web applications with ease and confidence!

Reference in New Issue View Git Blame Copy Permalink