feat: oauth2proxy compose skel

2025-12-09 13:08:34 +01:00 · 2023-01-15 11:46:36 +01:00
parent 0d63e8855b
commit fa61c58471
2 changed files with 66 additions and 0 deletions
--- a/roles/web1/tasks/main.yaml
+++ b/roles/web1/tasks/main.yaml
@@ -61,6 +61,25 @@
    - simple-log-server
    - soundlib-interface

+- name: OAuth2Proxy directories
+  file:
+    path: "/opt/oauth2proxy/{{ item }}/"
+    state: directory
+    recurse: yes
+  with_items:
+    - python-flask-picture-factory
+    - simple-log-server
+    - soundlib-interface
+
+- name: Deploy OAuth2Proxy compose files
+  template:
+    src: oauth-standalone-docker-compose.yaml
+    dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
+  with_items:
+    - python-flask-picture-factory
+    - simple-log-server
+    - soundlib-interface
+
 - name: Template Systemd Units
  template:
    src: "waitress-systemd-unit.j2"
--- a/templates/oauth-standalone-docker-compose.yaml
+++ b/templates/oauth-standalone-docker-compose.yaml
@@ -0,0 +1,47 @@
+version: "3.7"
+
+services:
+
+  web-app:
+    build: .
+
+  oauth2-proxy:
+    image: bitnami/oauth2-proxy:7.3.0
+    depends_on:
+      - redis
+    command:
+      - --http-address
+      - 0.0.0.0:4180
+      - --allowed-group soundlib
+    environment:
+      OAUTH2_PROXY_EMAIL_DOMAINS: '*'
+      OAUTH2_PROXY_PROVIDER: oidc
+      OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "Keycloak"
+      OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: true
+      OAUTH2_PROXY_REDIRECT_URL: http://localhost/oauth2/callback
+
+      OAUTH2_PROXY_OIDC_ISSUER_URL: "https://{{ keycloak_address }}/realms/master"
+      OAUTH2_PROXY_CLIENT_ID: "{{ keycloak_clients[item].client_id }}"
+      OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].party_secret }}"
+
+      OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS: true
+      OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub
+
+      OAUTH2_PROXY_SET_XAUTHREQUEST: true
+      OAUTH2_PROXY_PASS_ACCESS_TOKEN: true
+
+      OAUTH2_PROXY_SESSION_STORE_TYPE: redis
+      OAUTH2_PROXY_REDIS_CONNECTION_URL: redis://redis
+
+      OAUTH2_PROXY_COOKIE_REFRESH: 30m
+      OAUTH2_PROXY_COOKIE_NAME: SESSION
+      OAUTH2_PROXY_COOKIE_SECRET: HISTORY_PURGED_SECRET
+
+  redis:
+    image: redis:7.0.2-alpine3.16
+    volumes:
+      - cache:/data
+
+volumes:
+  cache:
+    driver: local