kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-09-24 19:16:26 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
93d165fa4c1c69225ae7ac934e0aa0bcc57124f0
computer-playbook/roles/web-app-openwebui/templates/env.j2
Kevin Veen-Birkenbach 08720a43c1 feat(web-app-openwebui): enable OIDC role-based admin mapping 
Activate ENABLE_OAUTH_ROLE_MANAGEMENT and configure OAUTH_ROLES_CLAIM from
RBAC.GROUP.CLAIM. Define OAUTH_ADMIN_ROLES dynamically based on RBAC group
and application administrator naming convention.

Conversation: https://chatgpt.com/share/68d18e02-d6b8-800f-aaab-920c61b9284a
2025-09-22 20:27:01 +02:00

85 lines
3.0 KiB
Django/Jinja
Raw Blame History

# Documentation: https://docs.openwebui.com/getting-started/env-configuration/
# =========================
# Open WebUI Base Settings
# =========================
OLLAMA_BASE_URL={{ OLLAMA_BASE_LOCAL_URL }}
OFFLINE_MODE={{ OPENWEBUI_OFFLINE_MODE | ternary(1, 0) }}
HF_HUB_OFFLINE={{ OPENWEBUI_HF_HUB_OFFLINE | ternary(1, 0) }}
ENABLE_PERSISTENT_CONFIG=false
{% if OPENWEBUI_OIDC_ENABLED %}
# =========================
# OIDC / OAuth2 Settings
# =========================
# Enable sign-up/login via OIDC provider
ENABLE_OAUTH_SIGNUP=true
# Client credentials (must match Keycloak client)
OAUTH_CLIENT_ID={{ OIDC.CLIENT.ID }}
OAUTH_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
# Well-known configuration URL from Keycloak
OPENID_PROVIDER_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}
# Redirect URI (must match what is configured in Keycloak client)
OPENID_REDIRECT_URI={{ (domains | get_url(application_id, WEB_PROTOCOL)) ~ '/oauth/oidc/callback' }}
# Display name of the provider in the login button
OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}
# Scopes to request (openid is required; email/profile recommended)
OAUTH_SCOPES=openid email profile
# =========================
# Optional: Role Management
# =========================
# Enable automatic role mapping from token claims
ENABLE_OAUTH_ROLE_MANAGEMENT=true
OAUTH_ROLES_CLAIM={{ RBAC.GROUP.CLAIM }}
# OAUTH_ALLOWED_ROLES=user
OAUTH_ADMIN_ROLES={{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}
# =========================
# Optional: Group Management
# =========================
# ENABLE_OAUTH_GROUP_MANAGEMENT=true
# ENABLE_OAUTH_GROUP_CREATION=false
# OAUTH_GROUP_CLAIM={{ RBAC.GROUP.CLAIM }}
{% endif %}
{% if OPENWEBUI_LDAP_ENABLED %}
# =========================
# LDAP Authentication
# =========================
# Enable LDAP login in parallel to OIDC (both can coexist)
ENABLE_LDAP=true
# --- Server Settings ---
# Label shown in the UI (optional)
LDAP_SERVER_LABEL=OpenLDAP
# Hostname/IP and port from your global LDAP settings
LDAP_SERVER_HOST={{ LDAP.SERVER.DOMAIN }}
LDAP_SERVER_PORT={{ LDAP.SERVER.PORT }}
# TLS: set to true for StartTLS or LDAPS (maps from your SECURITY setting)
# SECURITY can be "", "TLS" or "SSL" in your mapping; treat TLS/SSL as true
LDAP_USE_TLS={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}
# Certificate validation (set to true if you use a proper CA; false for self-signed/dev)
LDAP_VALIDATE_CERT={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}
# --- Bind Credentials (app/service account) ---
LDAP_APP_DN={{ LDAP.DN.ADMINISTRATOR.DATA }}
LDAP_APP_PASSWORD={{ LDAP.BIND_CREDENTIAL }}
# --- User Schema / Search ---
# Base DN for user search
LDAP_SEARCH_BASE={{ LDAP.DN.ROOT }}
# Attribute used as login name (uid / sAMAccountName / mail, etc.)
LDAP_ATTRIBUTE_FOR_USERNAME={{ LDAP.USER.ATTRIBUTES.ID }}
# Attribute for email address
LDAP_ATTRIBUTE_FOR_MAIL={{ LDAP.USER.ATTRIBUTES.MAIL }}
# Search filter with placeholder for username
LDAP_SEARCH_FILTER=({{ LDAP.USER.ATTRIBUTES.ID }}=%(user)s)
{% endif %}
Reference in New Issue View Git Blame Copy Permalink