version: "3.7"

services:

  oauth2-proxy-{{ item }}:
    image: bitnami/oauth2-proxy:latest
    depends_on:
      - redis
    restart: always
    command:
{% if keycloak_clients[item].get("skips") %}
{% for route in keycloak_clients[item].skips %}
      - --skip-auth-route
      - {{ route }}
{% endfor %}
{% endif %}
      - --http-address
      - 0.0.0.0:{{ services[item].port }}
    ports:
      - {{ services[item].port }}:{{ services[item].port }}
    environment:
      OAUTH2_PROXY_SCOPE: openid email profile
      OAUTH2_PROXY_UPSTREAMS: http://{{ ansible_default_ipv4.address }}:{{ services[item].port + 1000 }}/
      OAUTH2_PROXY_EMAIL_DOMAINS: '*'
      OAUTH2_PROXY_PROVIDER: keycloak-oidc
      OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "AtlantisHQ Accounts"
      OAUTH2_PROXY_REDIRECT_URL: "{{ keycloak_clients[item].master_address }}/oauth2/callback"
      OAUTH2_PROXY_OIDC_ISSUER_URL: "https://{{ keycloak_address }}/realms/master"
      OAUTH2_PROXY_CLIENT_ID: "{{ keycloak_clients[item].client_id }}"
      OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].client_secret }}"

      {% if keycloak_clients[item].groups %}
OAUTH2_PROXY_ALLOWED_GROUPS: {{ keycloak_clients[item].groups }}
      {% endif %}

      OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub
      OAUTH2_PROXY_SET_XAUTHREQUEST: "true"

      OAUTH2_PROXY_SESSION_STORE_TYPE: redis
      OAUTH2_PROXY_REDIS_CONNECTION_URL: redis://redis

      OAUTH2_PROXY_COOKIE_REFRESH: 17m
      OAUTH2_PROXY_COOKIE_NAME: SESSION
      OAUTH2_PROXY_COOKIE_SECRET: "{{ keycloak_clients[item].party_secret }}"

      OAUTH2_PROXY_REVERSE_PROXY: "true"
      OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true"

      OAUTH2_PROXY_WHITELIST_DOMAIN: "keycloak.atlantishq.de sso.atlantishq.de sso.potaris.de"

  redis:
    image: redis:latest
    restart: always
    volumes:
      - cache:/data

volumes:
  cache:
    driver: local