feat: oidc web1 basics

2025-12-06 07:51:35 +01:00 · 2023-01-08 23:01:42 +01:00
parent 4b9ee96989
commit d926d70a5f
7 changed files with 124 additions and 1 deletions
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -20,3 +20,19 @@ async_icinga_static_services:

 keycloak_admin_password: HISTORY_PURGED_SECRET
 keycloak_postgres_password: HISTORY_PURGED_SECRET
+keycloak_address: keycloak.atlantishq.de
+
+keycloak_clients:
+    python-flask-picture-factory:
+        client_id: z_images
+        client_secret: "HISTORY_PURGED_SECRET"
+        redirect_uris: '"https://images.atlantishq.de/*","https://images.athq.de/*","https://images.potaris.de/*"'
+    simple-log-server:
+        client_id: z_sls
+        client_secret: ""
+        redirect_uris: '"https://sls.atlantishq.de/*"'
+
+    soundlib-interface:
+        client_id: z_soundlib
+        client_secret: ""
+        redirect_uris: '"https://sounds.atlantishq.de/*"'
--- a/group_vars/usermanagement.yaml
+++ b/group_vars/usermanagement.yaml
@@ -0,0 +1,2 @@
+---
+keycloak_images_client_secret: HISTORY_PURGED_SECRET
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -7,9 +7,13 @@
    - { role : monitoring-influx, tags : [ "influx" ] }
    - { role : base,              tags : [ "base" ] }

+- hosts: web1
+  roles:
+    - { role : web1, tags : [ "web1" ] }
+
 - hosts: kube1
  roles:
-    - { role : docker-deployments,tags : [ "docker", "kube1" ] }
+    - { role : docker-deployments, tags : [ "docker", "kube1" ] }

 - hosts: usermanagement
  roles:
--- a/roles/web1/tasks/main.yaml
+++ b/roles/web1/tasks/main.yaml
@@ -0,0 +1,64 @@
+- name: Install python packages
+  pip:
+    name: 
+      - itsdangerous==2.0.1
+      - flask
+      - flask-oidc
+      - Flask-SQLAlchemy
+      - MarkupSafe
+      - Pillow
+      - waitress
+
+- name: fix dumb flask oidc scheme bug
+  lineinfile:
+    path: /usr/local/lib/python3.9/dist-packages/flask_oidc/__init__.py
+    regex: "            flow\\.redirect_uri = url_for\\('_oidc_callback', _external=True\\)"
+    line:  "            flow.redirect_uri = url_for('_oidc_callback', _external=True, _scheme='https')"
+    backup: yes
+
+- name: Set mode /usr/local/lib/ (python libraries)
+  file:
+    path: /usr/local/lib/
+    mode: 'a+rX'
+    recurse: true
+
+- name: Clone repositories
+  git:
+    repo: https://github.com/FAUSheppy/{{ item }}.git
+    dest: "/var/www/{{ item }}"
+  with_items:        
+    - python-flask-picture-factory
+    - simple-log-server
+    - soundlib-interface
+
+- name: Deploy OIDC config (config)
+  template:
+    src: oidc_config.json.j2
+    dest: "/var/www/{{ item }}/oidc.json"
+    owner: www-data
+    group: www-data
+  with_items:
+    - python-flask-picture-factory
+    - simple-log-server
+    - soundlib-interface
+
+- name: Deploy OIDC config (client secrets)
+  template:
+    src: oidc_client_secrets.json.j2
+    dest: "/var/www/{{ item }}/oidc_client_secrets.json"
+    owner: www-data
+    group: www-data
+  with_items:
+    - python-flask-picture-factory
+    - simple-log-server
+    - soundlib-interface
+
+- name: Systemd Units
+  template:
+    src: "waitress-systemd-unit.j2"
+    dest: "/etc/systemd/user/{{ item.name }}.service"
+  with_items:
+    - { name : "image-factory",     path : "/var/www/python-flask-picture-factory", port : 5000 }
+    - { name : "serien-ampel",      path : "/var/www/serien-ampel",                 port : 5001 }
+    - { name : "simple-log-server", path : "/var/www/simple-log-service",           port : 5002 }
+    - { name : "soundlib",          path : "/var/www/soundlib-interface",           port : 5003 }
--- a/templates/oidc_client_secrets.json.j2
+++ b/templates/oidc_client_secrets.json.j2
@@ -0,0 +1,14 @@
+{
+    "web": {
+        "issuer": "https://{{ keycloak_address }}/realms/master",
+        "auth_uri": "https://{{ keycloak_address }}/realms/master/protocol/openid-connect/auth",
+        "client_id": "{{ keycloak_clients[item].client_id }}",
+        "client_secret": "{{ keycloak_clients[item].client_secret }}",
+        "redirect_uris": [
+            {{ keycloak_clients[item].redirect_uris }}
+        ],
+        "userinfo_uri": "https://{{ keycloak_address }}/realms/master/protocol/openid-connect/userinfo", 
+        "token_uri": "https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token",
+        "token_introspection_uri": "https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token/introspect"
+    }
+}
--- a/templates/oidc_config.json.j2
+++ b/templates/oidc_config.json.j2
@@ -0,0 +1,9 @@
+{
+    "SECRET_KEY" : "{{ lookup('password', '/dev/null length=20 chars=ascii_letters') }}",
+    "TEST" : true,
+    "DEBUG" : true,
+    "OIDC_CLIENT_SECRETS" : "oidc_client_secrets.json",
+    "OIDC_SCOPES" : [ "openid", "email", "roles" ],
+    "OIDC_INTROSPECTION_AUTH_METHOD": "client_secret_post",
+    "PREFERRED_URL_SCHEME" :  "https"
+}
--- a/templates/waitress-systemd-unit.j2
+++ b/templates/waitress-systemd-unit.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description={{ item.name }} on {{ item.port }} at {{ item.path }}
+After=network.target
+
+[Service]
+WorkingDirectory={{ item.path }}
+
+Type=simple
+User=www-data
+
+ExecStart=/usr/bin/waitress-serve --host 0.0.0.0 --port {{ item.port }} --call 'app:createApp'
+
+[Install]
+WantedBy=multi-user.target