initial: no secrets

2026-06-20 01:52:37 +02:00 · 2024-02-12 17:01:18 +01:00
commit cf9efd55b5
186 changed files with 8697 additions and 0 deletions
@@ -0,0 +1,59 @@
+version: "3.7"
+
+services:
+
+  oauth2-proxy-{{ item }}:
+    image: bitnami/oauth2-proxy:7.3.0
+    depends_on:
+      - redis
+    restart: always
+    command:
+{% if keycloak_clients[item].get("skips") %}
+{% for route in keycloak_clients[item].skips %}
+      - --skip-auth-route
+      - {{ route }}
+{% endfor %}
+{% endif %}
+      - --http-address
+      - 0.0.0.0:{{ services[item].port }}
+    ports:
+      - {{ services[item].port }}:{{ services[item].port }}
+    environment:
+      OAUTH2_PROXY_SCOPE: openid email profile
+      OAUTH2_PROXY_UPSTREAMS: http://{{ ansible_default_ipv4.address }}:{{ services[item].port + 1000 }}/
+      OAUTH2_PROXY_EMAIL_DOMAINS: '*'
+      OAUTH2_PROXY_PROVIDER: keycloak-oidc
+      OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "AtlantisHQ Accounts"
+      OAUTH2_PROXY_REDIRECT_URL: "{{ keycloak_clients[item].master_address }}/oauth2/callback"
+      OAUTH2_PROXY_OIDC_ISSUER_URL: "https://{{ keycloak_address }}/realms/master"
+      OAUTH2_PROXY_CLIENT_ID: "{{ keycloak_clients[item].client_id }}"
+      OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].client_secret }}"
+
+      {% if keycloak_clients[item].groups %}
+OAUTH2_PROXY_ALLOWED_GROUPS: {{ keycloak_clients[item].groups }}
+      {% endif %}
+
+      OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub
+      OAUTH2_PROXY_SET_XAUTHREQUEST: "true"
+
+      OAUTH2_PROXY_SESSION_STORE_TYPE: redis
+      OAUTH2_PROXY_REDIS_CONNECTION_URL: redis://redis
+
+      OAUTH2_PROXY_COOKIE_REFRESH: 17m
+      OAUTH2_PROXY_COOKIE_NAME: SESSION
+      OAUTH2_PROXY_COOKIE_SECRET: "{{ keycloak_clients[item].party_secret }}"
+
+      OAUTH2_PROXY_REVERSE_PROXY: "true"
+      OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true"
+
+      OAUTH2_PROXY_WHITELIST_DOMAIN: "keycloak.atlantishq.de sso.atlantishq.de sso.potaris.de"
+
+  redis:
+    image: redis:7.2.4-alpine
+    restart: always
+    volumes:
+      - cache:/data
+
+volumes:
+  cache:
+    driver: local
@@ -0,0 +1,14 @@
+{
+    "web": {
+        "issuer": "https://{{ keycloak_address }}/realms/master",
+        "auth_uri": "https://{{ keycloak_address }}/realms/master/protocol/openid-connect/auth",
+        "client_id": "{{ keycloak_clients[item].client_id }}",
+        "client_secret": "{{ keycloak_clients[item].client_secret }}",
+        "redirect_uris": [
+            {{ '"' + keycloak_clients[item].redirect_uris | join('","') + '"' }}
+        ],
+        "userinfo_uri": "https://{{ keycloak_address }}/realms/master/protocol/openid-connect/userinfo", 
+        "token_uri": "https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token",
+        "token_introspection_uri": "https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token/introspect"
+    }
+}
@@ -0,0 +1,9 @@
+{
+    "SECRET_KEY" : "{{ keycloak_clients[item].party_secret }}",
+    "TEST" : true,
+    "DEBUG" : true,
+    "OIDC_CLIENT_SECRETS" : "oidc_client_secrets.json",
+    "OIDC_SCOPES" : [ "openid", "email", "roles" ],
+    "OIDC_INTROSPECTION_AUTH_METHOD": "client_secret_post",
+    "PREFERRED_URL_SCHEME" :  "https"
+}
@@ -0,0 +1,24 @@
+{% if item.get("port") %}
+{% set port = item.port %}
+{% else %}
+{% set port = services[item.name].port %}
+{% endif %}
+
+{% if item.get("external_oidc") %}
+{% set port = port + 1000 %}
+{% endif %}
+
+[Unit]
+Description={{ item.name }} on {{ port }} at {{ item.path }}
+After=network.target
+
+[Service]
+WorkingDirectory={{ item.path }}
+
+Type=simple
+User=www-data
+
+ExecStart=/usr/bin/waitress-serve --host 0.0.0.0 --port {{ port }} --call 'app:createApp'
+
+[Install]
+WantedBy=multi-user.target