mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-02-23 12:51:54 +01:00
60 lines
3.1 KiB
YAML
60 lines
3.1 KiB
YAML
#############################################
|
|
### Identity and Access Management (IAM) ###
|
|
#############################################
|
|
|
|
#############################################
|
|
### OIDC ###
|
|
#############################################
|
|
# @see https://en.wikipedia.org/wiki/OpenID_Connect
|
|
|
|
## Private configuration variables:
|
|
_oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
|
|
_oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"
|
|
|
|
defaults_oidc:
|
|
enabled: true
|
|
client:
|
|
id: "{{primary_domain}}"
|
|
# secret: # Define in inventory file
|
|
realm: "{{_oidc_client_realm}}"
|
|
issuer_url: "{{_oidc_client_issuer_url}}"
|
|
discovery_document: "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"
|
|
authorize_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"
|
|
toke_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"
|
|
user_info_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
|
|
logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"
|
|
change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in"
|
|
|
|
#############################################
|
|
### OAuth2-Proxy ###
|
|
#############################################
|
|
# The name of the application which the server redirects to. Needs to be defined in role vars.
|
|
oauth2_proxy_upstream_application_and_port: "application:80"
|
|
oauth2_proxy_active: false
|
|
|
|
#############################################
|
|
### LDAP ###
|
|
#############################################
|
|
|
|
# Helper variables
|
|
_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
|
|
|
|
|
|
# This leads to that the role gets configured to use ldap
|
|
ldap_enabled: false
|
|
|
|
ldap:
|
|
# Enables LDAP for all roles in play if true
|
|
enabled: true
|
|
# Distinguished Names (DN)
|
|
dn:
|
|
# Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
|
|
root: "{{_ldap_dn_base}}"
|
|
# Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
|
|
administrator: "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}"
|
|
server:
|
|
domain: "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
|
|
uri: "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"
|
|
network:
|
|
local: "{{applications.ldap.openldap.network.local}}" # Uses the application configuration to define if local network should be available or not
|
|
|