diff options
| author | Elizabeth Hunt <me@liz.coffee> | 2025-08-11 18:39:55 -0700 |
|---|---|---|
| committer | Elizabeth Hunt <me@liz.coffee> | 2025-08-11 18:39:55 -0700 |
| commit | 08e92ca3b8ee6c38c3e19126378e51b46cf63b16 (patch) | |
| tree | 6e9c0e0f394d645cea4208bcfab7e1d98d329e0e /playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml | |
| parent | 4f90a2fc5fd134b27c2f0e32a5f1192003d3f0cf (diff) | |
| download | infra-08e92ca3b8ee6c38c3e19126378e51b46cf63b16.tar.gz infra-08e92ca3b8ee6c38c3e19126378e51b46cf63b16.zip | |
Oauth proxy and monitoring init
Diffstat (limited to 'playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml')
| -rw-r--r-- | playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml new file mode 100644 index 0000000..0f1b1ab --- /dev/null +++ b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml @@ -0,0 +1,75 @@ +injectRequestHeaders: +- name: X-Forwarded-User + values: + - claim: user +- name: X-Forwarded-Email + values: + - claim: email +- name: X-Forwarded-Preferred-Username + values: + - claim: preferred_username +- name: X-Forwarded-Groups + values: + - claim: groups +- name: Authorization + values: + - claim: id_token + prefix: 'Bearer ' +- name: "X-Forwarded-{{ oauth_proxy_super_secret_header }}" + values: + - value: "{{ oauth_proxy_super_secret_header | b64encode }}" +injectResponseHeaders: +- name: X-Auth-Request-User + values: + - claim: user +- name: X-Auth-Request-Email + values: + - claim: email +- name: X-Auth-Request-Preferred-Username + values: + - claim: preferred_username +- name: X-Auth-Request-Groups + values: + - claim: groups +- name: "X-Auth-Request-{{ oauth_proxy_super_secret_header }}" + values: + - value: "{{ oauth_proxy_super_secret_header | b64encode }}" +- name: Authorization + values: + - claim: id_token + prefix: 'Bearer ' +metricsServer: + BindAddress: 0.0.0.0:5577 + SecureBindAddress: "" + TLS: null +providers: +- id: kanidm + name: "{{ domain }} <3" + provider: oidc + clientID: "{{ oauth_proxy_client_id }}" + clientSecret: "{{ oauth_proxy_client_secret }}" + allowedGroups: + - "{{ oauth_proxy_group }}" + code_challenge_method: "S256" + scope: "openid profile groups email" + oidcConfig: + issuerURL: "https://{{ idm_domain }}/oauth2/openid/{{ oauth_proxy_client_id }}" + insecureSkipNonce: false + insecureAllowUnverifiedEmail: false + extraAudiences: + - "{{ oauth_proxy_client_id }}" + audienceClaims: + - aud + userIDClaim: sub + emailClaim: email + groupsClaim: groups +server: + BindAddress: 0.0.0.0:4180 + SecureBindAddress: "" + TLS: null +upstreamConfig: + upstreams: + - id: "traefik" + static: true + path: "/" + staticCode: 202 |