From 25441ea4b2125bfb1ca57ff4a8664f9046cb3fbf Mon Sep 17 00:00:00 2001
From: Sheppy <sheppy@atlantishq.de>
Date: Sun, 15 Jan 2023 18:07:50 +0100
Subject: [PATCH] feat: oauth2 proxy

---
 roles/web1/tasks/main.yaml                     |  1 +
 templates/oauth-standalone-docker-compose.yaml | 18 +++++++-----------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/roles/web1/tasks/main.yaml b/roles/web1/tasks/main.yaml
index 59139c7..205cd30 100644
--- a/roles/web1/tasks/main.yaml
+++ b/roles/web1/tasks/main.yaml
@@ -8,6 +8,7 @@
       - Flask-SQLAlchemy
       - MarkupSafe
       - Pillow
+      - docker-compose
       - waitress
 
 - name: fix dumb flask oidc scheme bug
diff --git a/templates/oauth-standalone-docker-compose.yaml b/templates/oauth-standalone-docker-compose.yaml
index 6619062..1d46dc1 100644
--- a/templates/oauth-standalone-docker-compose.yaml
+++ b/templates/oauth-standalone-docker-compose.yaml
@@ -2,18 +2,17 @@ version: "3.7"
 
 services:
 
-  web-app:
-    build: .
-
-  oauth2-proxy:
+  oauth2-proxy-{{ item }}:
     image: bitnami/oauth2-proxy:7.3.0
     depends_on:
       - redis
     command:
       - --http-address
-      - 0.0.0.0:4180
-      - --allowed-group soundlib
+      - 0.0.0.0:{{ services[item].port }}
+    ports:
+      - {{ services[item].port }}:{{ services[item].port }}
     environment:
+      OAUTH2_PROXY_UPSTREAMS: http://{{ ansible_default_ipv4.address }}:{{ services[item].port }}/
       OAUTH2_PROXY_EMAIL_DOMAINS: '*'
       OAUTH2_PROXY_PROVIDER: oidc
       OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "Keycloak"
@@ -23,19 +22,16 @@ services:
       OAUTH2_PROXY_OIDC_ISSUER_URL: "https://{{ keycloak_address }}/realms/master"
       OAUTH2_PROXY_CLIENT_ID: "{{ keycloak_clients[item].client_id }}"
       OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].party_secret }}"
+      OAUTH2_PROXY_ALLOWED_GROUPS: "{{ keycloak_clients[item].groups }}"
 
-      OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS: true
       OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub
 
-      OAUTH2_PROXY_SET_XAUTHREQUEST: true
-      OAUTH2_PROXY_PASS_ACCESS_TOKEN: true
-
       OAUTH2_PROXY_SESSION_STORE_TYPE: redis
       OAUTH2_PROXY_REDIS_CONNECTION_URL: redis://redis
 
       OAUTH2_PROXY_COOKIE_REFRESH: 30m
       OAUTH2_PROXY_COOKIE_NAME: SESSION
-      OAUTH2_PROXY_COOKIE_SECRET: HISTORY_PURGED_SECRET
+      OAUTH2_PROXY_COOKIE_SECRET: "{{ keycloak_clients[item].party_secret }}"
 
   redis:
     image: redis:7.0.2-alpine3.16