sheppy/no-secrets-athq-ansible
1
0
Fork 0
mirror of https://github.com/FAUSheppy/no-secrets-athq-ansible synced 2025-12-10 03:28:33 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: oauth2 proxy

Browse Source
This commit is contained in:
Johnathen Sheppard
2023-01-15 18:07:50 +01:00
parent fe2b0f1dab
commit 25441ea4b2
2 changed files with 8 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/web1/tasks/main.yaml
View File

@@ -8,6 +8,7 @@
- Flask-SQLAlchemy - Flask-SQLAlchemy
- MarkupSafe - MarkupSafe
- Pillow - Pillow
- docker-compose
- waitress - waitress
- name: fix dumb flask oidc scheme bug - name: fix dumb flask oidc scheme bug

18
templates/oauth-standalone-docker-compose.yaml
View File

@@ -2,18 +2,17 @@ version: "3.7"
services: services:
web-app: oauth2-proxy-{{ item }}:
build: .
oauth2-proxy:
image: bitnami/oauth2-proxy:7.3.0 image: bitnami/oauth2-proxy:7.3.0
depends_on: depends_on:
- redis - redis
command: command:
- --http-address - --http-address
- 0.0.0.0:4180 - 0.0.0.0:{{ services[item].port }}
- --allowed-group soundlib ports:
- {{ services[item].port }}:{{ services[item].port }}
environment: environment:
OAUTH2_PROXY_UPSTREAMS: http://{{ ansible_default_ipv4.address }}:{{ services[item].port }}/
OAUTH2_PROXY_EMAIL_DOMAINS: '*' OAUTH2_PROXY_EMAIL_DOMAINS: '*'
OAUTH2_PROXY_PROVIDER: oidc OAUTH2_PROXY_PROVIDER: oidc
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "Keycloak" OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "Keycloak"
@@ -23,19 +22,16 @@ services:
OAUTH2_PROXY_OIDC_ISSUER_URL: "https://{{ keycloak_address }}/realms/master" OAUTH2_PROXY_OIDC_ISSUER_URL: "https://{{ keycloak_address }}/realms/master"
OAUTH2_PROXY_CLIENT_ID: "{{ keycloak_clients[item].client_id }}" OAUTH2_PROXY_CLIENT_ID: "{{ keycloak_clients[item].client_id }}"
OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].party_secret }}" OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].party_secret }}"
OAUTH2_PROXY_ALLOWED_GROUPS: "{{ keycloak_clients[item].groups }}"
OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS: true
OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub
OAUTH2_PROXY_SET_XAUTHREQUEST: true
OAUTH2_PROXY_PASS_ACCESS_TOKEN: true
OAUTH2_PROXY_SESSION_STORE_TYPE: redis OAUTH2_PROXY_SESSION_STORE_TYPE: redis
OAUTH2_PROXY_REDIS_CONNECTION_URL: redis://redis OAUTH2_PROXY_REDIS_CONNECTION_URL: redis://redis
OAUTH2_PROXY_COOKIE_REFRESH: 30m OAUTH2_PROXY_COOKIE_REFRESH: 30m
OAUTH2_PROXY_COOKIE_NAME: SESSION OAUTH2_PROXY_COOKIE_NAME: SESSION
OAUTH2_PROXY_COOKIE_SECRET: HISTORY_PURGED_SECRET OAUTH2_PROXY_COOKIE_SECRET: "{{ keycloak_clients[item].party_secret }}"
redis: redis:
image: redis:7.0.2-alpine3.16 image: redis:7.0.2-alpine3.16