diff --git a/group_vars/all.yaml b/group_vars/all.yaml index 6043436..d5a1c9e 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -42,7 +42,7 @@ keycloak_clients: groups: "images" simple-log-server: - party_secret : "8fZpHISTORY_PURGED_SECRET" + party_secret : "HISTORY_PURGED_SECRET" client_id: z_sls client_secret: "HISTORY_PURGED_SECRET" redirect_uris: @@ -52,7 +52,7 @@ keycloak_clients: groups: "monitoring" soundlib-interface: - party_secret : "zdHRHISTORY_PURGED_SECRET" + party_secret : "HISTORY_PURGED_SECRET" client_id: z_soundlib client_secret: "HISTORY_PURGED_SECRET" redirect_uris: diff --git a/roles/web1/meta/main.yml b/roles/web1/meta/main.yml new file mode 100644 index 0000000..c808c92 --- /dev/null +++ b/roles/web1/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - global-handlers diff --git a/roles/web1/tasks/main.yaml b/roles/web1/tasks/main.yaml index 90a9373..4b32342 100644 --- a/roles/web1/tasks/main.yaml +++ b/roles/web1/tasks/main.yaml @@ -83,15 +83,22 @@ - simple-log-server - soundlib-interface +- name: Deploy OAuth2Proxy + community.docker.docker_compose: + project_src: /opt/oauth2proxy/{{ item }}/ + pull: true + with_items: + - soundlib-interface + - name: Template Systemd Units template: src: "waitress-systemd-unit.j2" dest: "/etc/systemd/system/{{ item.name }}.service" with_items: - - { name : "image-factory", path : "/var/www/python-flask-picture-factory" } - - { name : "serien-ampel", path : "/var/www/serien-ampel" } - - { name : "simple-log-server", path : "/var/www/simple-log-server" } - - { name : "soundlib", path : "/var/www/soundlib-interface", external_oidc : true } + - { name : "image-factory", path : "/var/www/python-flask-picture-factory" } + - { name : "serien-ampel", path : "/var/www/serien-ampel" } + - { name : "simple-log-server", path : "/var/www/simple-log-server" } + - { name : "soundlib-interface", path : "/var/www/soundlib-interface", external_oidc : true } notify: - daemon reload @@ -106,4 +113,4 @@ - image-factory - serien-ampel - simple-log-server - - soundlib + - soundlib-interface diff --git a/templates/oauth-standalone-docker-compose.yaml b/templates/oauth-standalone-docker-compose.yaml index 1d46dc1..e316ddd 100644 --- a/templates/oauth-standalone-docker-compose.yaml +++ b/templates/oauth-standalone-docker-compose.yaml @@ -12,17 +12,16 @@ services: ports: - {{ services[item].port }}:{{ services[item].port }} environment: - OAUTH2_PROXY_UPSTREAMS: http://{{ ansible_default_ipv4.address }}:{{ services[item].port }}/ + OAUTH2_PROXY_UPSTREAMS: http://{{ ansible_default_ipv4.address }}:{{ services[item].port + 1000 }}/ OAUTH2_PROXY_EMAIL_DOMAINS: '*' OAUTH2_PROXY_PROVIDER: oidc - OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "Keycloak" - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: true + OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "AtlantisHQ Accounts" OAUTH2_PROXY_REDIRECT_URL: http://localhost/oauth2/callback OAUTH2_PROXY_OIDC_ISSUER_URL: "https://{{ keycloak_address }}/realms/master" OAUTH2_PROXY_CLIENT_ID: "{{ keycloak_clients[item].client_id }}" - OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].party_secret }}" - OAUTH2_PROXY_ALLOWED_GROUPS: "{{ keycloak_clients[item].groups }}" + OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].client_secret }}" + OAUTH2_PROXY_ALLOWED_ROLES: "{{ keycloak_clients[item].groups }}" OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub diff --git a/vars/services.yaml b/vars/services.yaml index 016c17a..efb10c4 100644 --- a/vars/services.yaml +++ b/vars/services.yaml @@ -5,5 +5,5 @@ services: port: 5001 simple-log-server: port: 5002 - soundlib: + soundlib-interface: port: 5003