feat: more oidc oauth2proxy

2025-12-06 10:11:36 +01:00 · 2023-01-15 19:37:29 +01:00
parent 4fd118fde6
commit 38529a428e
5 changed files with 21 additions and 13 deletions
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -42,7 +42,7 @@ keycloak_clients:
        groups: "images"

    simple-log-server:
-        party_secret : "8fZpHISTORY_PURGED_SECRET"
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_sls
        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris: 
@@ -52,7 +52,7 @@ keycloak_clients:
        groups: "monitoring"

    soundlib-interface:
-        party_secret : "zdHRHISTORY_PURGED_SECRET"
+        party_secret : "HISTORY_PURGED_SECRET"
        client_id: z_soundlib
        client_secret: "HISTORY_PURGED_SECRET"
        redirect_uris: 
--- a/roles/web1/meta/main.yml
+++ b/roles/web1/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+    - global-handlers
--- a/roles/web1/tasks/main.yaml
+++ b/roles/web1/tasks/main.yaml
@@ -83,6 +83,13 @@
    - simple-log-server
    - soundlib-interface

+- name: Deploy OAuth2Proxy
+  community.docker.docker_compose:
+    project_src: /opt/oauth2proxy/{{ item }}/
+    pull: true
+  with_items:
+    - soundlib-interface
+
 - name: Template Systemd Units
  template:
    src: "waitress-systemd-unit.j2"
@@ -91,7 +98,7 @@
    - { name : "image-factory",      path : "/var/www/python-flask-picture-factory" }
    - { name : "serien-ampel",       path : "/var/www/serien-ampel" }
    - { name : "simple-log-server",  path : "/var/www/simple-log-server" }
-    - { name : "soundlib",          path : "/var/www/soundlib-interface", external_oidc : true }
+    - { name : "soundlib-interface", path : "/var/www/soundlib-interface", external_oidc : true }
  notify:
    - daemon reload

@@ -106,4 +113,4 @@
    - image-factory
    - serien-ampel
    - simple-log-server
-    - soundlib
+    - soundlib-interface
--- a/templates/oauth-standalone-docker-compose.yaml
+++ b/templates/oauth-standalone-docker-compose.yaml
@@ -12,17 +12,16 @@ services:
    ports:
      - {{ services[item].port }}:{{ services[item].port }}
    environment:
-      OAUTH2_PROXY_UPSTREAMS: http://{{ ansible_default_ipv4.address }}:{{ services[item].port }}/
+      OAUTH2_PROXY_UPSTREAMS: http://{{ ansible_default_ipv4.address }}:{{ services[item].port + 1000 }}/
      OAUTH2_PROXY_EMAIL_DOMAINS: '*'
      OAUTH2_PROXY_PROVIDER: oidc
-      OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "Keycloak"
-      OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: true
+      OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "AtlantisHQ Accounts"
      OAUTH2_PROXY_REDIRECT_URL: http://localhost/oauth2/callback

      OAUTH2_PROXY_OIDC_ISSUER_URL: "https://{{ keycloak_address }}/realms/master"
      OAUTH2_PROXY_CLIENT_ID: "{{ keycloak_clients[item].client_id }}"
-      OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].party_secret }}"
-      OAUTH2_PROXY_ALLOWED_GROUPS: "{{ keycloak_clients[item].groups }}"
+      OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].client_secret }}"
+      OAUTH2_PROXY_ALLOWED_ROLES: "{{ keycloak_clients[item].groups }}"

      OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub

--- a/vars/services.yaml
+++ b/vars/services.yaml
@@ -5,5 +5,5 @@ services:
        port: 5001
    simple-log-server:
        port: 5002
-    soundlib:
+    soundlib-interface:
        port: 5003