diff options
Diffstat (limited to 'playbooks/roles/traefik/templates/volumes/oauth2proxy')
4 files changed, 269 insertions, 0 deletions
diff --git a/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy.cfg b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy.cfg new file mode 100644 index 0000000..3c412de --- /dev/null +++ b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy.cfg @@ -0,0 +1,26 @@ +## OAuth2 Proxy Config File + +request_logging = true +email_domains = "*" +reverse_proxy = true +redirect_url = "https://{{ oauth_proxy_domain }}/oauth2/callback" +real_client_ip_header = "X-Forwarded-For" +trusted_ips = "{{ homelab_network }}" + +## Cookie Settings +cookie_name = "_oauth2_proxy" +cookie_secret = "{{ oauth_proxy_cookie_secret }}" +cookie_domains = [".{{ domain }}", "{{ domain }}"] +whitelist_domains = [".{{ domain }}", "{{ domain }}"] +cookie_expire = "24h" +cookie_refresh = "1h" +cookie_secure = true +session_store_type = "redis" +redis_connection_url = "redis://oauth2-cache" + +## Templating + +banner = "-" +footer = "-" +custom_sign_in_logo="-" +custom_templates_dir="/conf/templates" diff --git a/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml new file mode 100644 index 0000000..0f1b1ab --- /dev/null +++ b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml @@ -0,0 +1,75 @@ +injectRequestHeaders: +- name: X-Forwarded-User + values: + - claim: user +- name: X-Forwarded-Email + values: + - claim: email +- name: X-Forwarded-Preferred-Username + values: + - claim: preferred_username +- name: X-Forwarded-Groups + values: + - claim: groups +- name: Authorization + values: + - claim: id_token + prefix: 'Bearer ' +- name: "X-Forwarded-{{ oauth_proxy_super_secret_header }}" + values: + - value: "{{ oauth_proxy_super_secret_header | b64encode }}" +injectResponseHeaders: +- name: X-Auth-Request-User + values: + - claim: user +- name: X-Auth-Request-Email + values: + - claim: email +- name: X-Auth-Request-Preferred-Username + values: + - claim: preferred_username +- name: X-Auth-Request-Groups + values: + - claim: groups +- name: "X-Auth-Request-{{ oauth_proxy_super_secret_header }}" + values: + - value: "{{ oauth_proxy_super_secret_header | b64encode }}" +- name: Authorization + values: + - claim: id_token + prefix: 'Bearer ' +metricsServer: + BindAddress: 0.0.0.0:5577 + SecureBindAddress: "" + TLS: null +providers: +- id: kanidm + name: "{{ domain }} <3" + provider: oidc + clientID: "{{ oauth_proxy_client_id }}" + clientSecret: "{{ oauth_proxy_client_secret }}" + allowedGroups: + - "{{ oauth_proxy_group }}" + code_challenge_method: "S256" + scope: "openid profile groups email" + oidcConfig: + issuerURL: "https://{{ idm_domain }}/oauth2/openid/{{ oauth_proxy_client_id }}" + insecureSkipNonce: false + insecureAllowUnverifiedEmail: false + extraAudiences: + - "{{ oauth_proxy_client_id }}" + audienceClaims: + - aud + userIDClaim: sub + emailClaim: email + groupsClaim: groups +server: + BindAddress: 0.0.0.0:4180 + SecureBindAddress: "" + TLS: null +upstreamConfig: + upstreams: + - id: "traefik" + static: true + path: "/" + staticCode: 202 diff --git a/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/error.html b/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/error.html new file mode 100644 index 0000000..d202d83 --- /dev/null +++ b/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/error.html @@ -0,0 +1,96 @@ +{{ '{{' }}define "error.html"{{ '}}' }} +<!DOCTYPE html> +<html lang="en" charset="utf-8"> +<head> + <link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'><text x='0' y='14' font-size='16'>☕</text></svg>"> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"> + <title>{{ '{{' }} .StatusCode {{ '}}' }} {{ '{{' }} .Title {{ '}}' }}</title> + <style> + :root { + --bg: #282828; + --bg-alt: #1d2021; + --fg: #ebdbb2; + --red: #fb4934; + --blue: #83a598; + } + html, body { + margin: 0; padding: 0; + height: 100%; + background-color: var(--bg); + color: var(--fg); + font-family: monospace; + display: flex; + justify-content: center; + align-items: center; + } + .container { + background-color: var(--bg-alt); + border: 2px solid var(--red); + padding: 3.5rem; + border-radius: 6px; + max-width: 1000px; + width: 90%; + box-shadow: 0 0 8px rgba(0,0,0,0.5); + display: flex; + flex-direction: column; + align-items: center; + } + .status { + font-size: 6rem; + margin: 0; + color: var(--red); + line-height: 1; + } + .title { + font-size: 1.5rem; + margin: 0.5rem 0 1rem; + } + .message { + background-color: var(--bg); + border: 1px solid var(--blue); + padding: 1rem; + width: 100%; + white-space: pre-wrap; + margin-bottom: 1rem; + } + .button { + width: 100%; + padding: 0.75rem; + background-color: var(--red); + color: var(--bg); + border: none; + text-transform: uppercase; + font-weight: bold; + cursor: pointer; + transition: background 0.2s; + margin-top: 0.5rem; + } + .button:hover { + background-color: #cc241d; + } + </style> +</head> +<body> + <div class="container"> + <div class="status">{{ '{{' }} .StatusCode {{ '}}' }}</div> + <div class="title">{{ '{{' }} .Title {{ '}}' }}</div> + {{ '{{' }} if or .Message .RequestID {{ '}}' }} + <div class="message"> + {{ '{{' }} if .Message {{ '}}' }} + {{ '{{' }} .Message {{ '}}' }} + {{ '{{' }} end {{ '}}' }} + {{ '{{' }} if .RequestID {{ '}}' }} + Request ID: {{ '{{' }} .RequestID {{ '}}' }} + {{ '{{' }} end {{ '}}' }} + </div> + {{ '{{' }} end {{ '}}' }} + {{ '{{' }} if .Redirect {{ '}}' }} + <form method="GET" action="{{ '{{' }} .Redirect {{ '}}' }}" style="width:100%;"> + <button type="submit" class="button">Go Back</button> + </form> + {{ '{{' }} end {{ '}}' }} + </div> +</body> +</html> +{{ '{{' }}end{{ '}}' }} diff --git a/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/sign_in.html b/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/sign_in.html new file mode 100644 index 0000000..17d3718 --- /dev/null +++ b/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/sign_in.html @@ -0,0 +1,72 @@ +{{ '{{' }}define "sign_in.html"{{ '}}' }} +<!DOCTYPE html> +<html lang="en" charset="utf-8"> +<head> + <link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'><text x='0' y='14' font-size='16'>☕</text></svg>"> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"> + <title>Sign In</title> + <style> + * { + font-family: 'monospace'; + } + :root { + --bg: #282828; + --bg-alt: #1d2021; + --fg: #ebdbb2; + --green: #b8bb26; + --yellow: #fabd2f; + } + html, body { + margin: 0; padding: 0; + height: 100%; + background-color: var(--bg); + color: var(--fg); + font-family: monospace; + display: flex; + justify-content: center; + align-items: center; + } + .container { + background-color: var(--bg-alt); + border: 2px solid var(--green); + padding: 3.5rem; + border-radius: 6px; + max-width: 1000px; + width: 90%; + box-shadow: 0 0 8px rgba(0,0,0,0.5); + display: flex; + flex-direction: column; + align-items: center; + } + .button { + width: 100%; + padding: 0.75rem; + background-color: var(--green); + color: var(--bg); + border: none; + text-transform: uppercase; + font-weight: bold; + cursor: pointer; + transition: background 0.2s; + margin-top: 1rem; + } + .button:hover { + background-color: var(--yellow); + } + </style> +</head> +<body> + <div class="container"> + <pre class="logo">{{ logo }}</pre> + <form method="GET" action="{{ '{{' }} .ProxyPrefix {{ '}}' }}/start" style="width: 100%; display: flex; flex-direction: column;"> + <input type="hidden" name="rd" value="{{ '{{' }} .Redirect {{ '}}' }}"> + {{ '{{' }} if .SignInMessage {{ '}}' }} + <p>{{ '{{' }} .SignInMessage {{ '}}' }}</p> + {{ '{{' }} end {{ '}}' }} + <button type="submit" class="button">Sign in with {{ '{{' }} .ProviderName {{ '}}' }}</button> + </form> + </div> +</body> +</html> +{{ '{{' }}end{{ '}}' }} |