From 08e92ca3b8ee6c38c3e19126378e51b46cf63b16 Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <me@liz.coffee>
Date: Mon, 11 Aug 2025 18:39:55 -0700
Subject: Oauth proxy and monitoring init

---
 .../templates/volumes/oauth2proxy/oauth_proxy.cfg  | 26 ++++++
 .../volumes/oauth2proxy/oauth_proxy_alpha.yml      | 75 +++++++++++++++++
 .../volumes/oauth2proxy/templates/error.html       | 96 ++++++++++++++++++++++
 .../volumes/oauth2proxy/templates/sign_in.html     | 72 ++++++++++++++++
 4 files changed, 269 insertions(+)
 create mode 100644 playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy.cfg
 create mode 100644 playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml
 create mode 100644 playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/error.html
 create mode 100644 playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/sign_in.html

(limited to 'playbooks/roles/traefik/templates/volumes/oauth2proxy')

diff --git a/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy.cfg b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy.cfg
new file mode 100644
index 0000000..3c412de
--- /dev/null
+++ b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy.cfg
@@ -0,0 +1,26 @@
+## OAuth2 Proxy Config File
+
+request_logging = true
+email_domains = "*"
+reverse_proxy = true
+redirect_url = "https://{{ oauth_proxy_domain }}/oauth2/callback"
+real_client_ip_header = "X-Forwarded-For"
+trusted_ips = "{{ homelab_network }}"
+
+## Cookie Settings
+cookie_name = "_oauth2_proxy"
+cookie_secret = "{{ oauth_proxy_cookie_secret }}"
+cookie_domains = [".{{ domain }}", "{{ domain }}"]
+whitelist_domains = [".{{ domain }}", "{{ domain }}"]
+cookie_expire = "24h"
+cookie_refresh = "1h"
+cookie_secure = true
+session_store_type = "redis"
+redis_connection_url = "redis://oauth2-cache"
+
+## Templating
+
+banner = "-"
+footer = "-"
+custom_sign_in_logo="-"
+custom_templates_dir="/conf/templates"
diff --git a/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml
new file mode 100644
index 0000000..0f1b1ab
--- /dev/null
+++ b/playbooks/roles/traefik/templates/volumes/oauth2proxy/oauth_proxy_alpha.yml
@@ -0,0 +1,75 @@
+injectRequestHeaders:
+- name: X-Forwarded-User
+  values:
+  - claim: user
+- name: X-Forwarded-Email
+  values:
+  - claim: email
+- name: X-Forwarded-Preferred-Username
+  values:
+  - claim: preferred_username
+- name: X-Forwarded-Groups
+  values:
+  - claim: groups
+- name: Authorization
+  values:
+  - claim: id_token
+    prefix: 'Bearer '
+- name: "X-Forwarded-{{ oauth_proxy_super_secret_header }}"
+  values:
+  - value: "{{ oauth_proxy_super_secret_header | b64encode }}"
+injectResponseHeaders:
+- name: X-Auth-Request-User
+  values:
+  - claim: user
+- name: X-Auth-Request-Email
+  values:
+  - claim: email
+- name: X-Auth-Request-Preferred-Username
+  values:
+  - claim: preferred_username
+- name: X-Auth-Request-Groups
+  values:
+  - claim: groups
+- name: "X-Auth-Request-{{ oauth_proxy_super_secret_header }}"
+  values:
+  - value: "{{ oauth_proxy_super_secret_header | b64encode }}"
+- name: Authorization
+  values:
+  - claim: id_token
+    prefix: 'Bearer '
+metricsServer:
+  BindAddress: 0.0.0.0:5577
+  SecureBindAddress: ""
+  TLS: null
+providers:
+- id: kanidm
+  name: "{{ domain }} <3"
+  provider: oidc
+  clientID: "{{ oauth_proxy_client_id }}"
+  clientSecret: "{{ oauth_proxy_client_secret }}"
+  allowedGroups:
+  - "{{ oauth_proxy_group }}"
+  code_challenge_method: "S256"
+  scope: "openid profile groups email"
+  oidcConfig:
+    issuerURL: "https://{{ idm_domain }}/oauth2/openid/{{ oauth_proxy_client_id }}"
+    insecureSkipNonce: false
+    insecureAllowUnverifiedEmail: false
+    extraAudiences:
+      - "{{ oauth_proxy_client_id }}"
+    audienceClaims:
+      - aud
+    userIDClaim: sub
+    emailClaim: email
+    groupsClaim: groups
+server:
+  BindAddress: 0.0.0.0:4180
+  SecureBindAddress: ""
+  TLS: null
+upstreamConfig:
+  upstreams:
+  - id: "traefik"
+    static: true
+    path: "/"
+    staticCode: 202
diff --git a/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/error.html b/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/error.html
new file mode 100644
index 0000000..d202d83
--- /dev/null
+++ b/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/error.html
@@ -0,0 +1,96 @@
+{{ '{{' }}define "error.html"{{ '}}' }}
+<!DOCTYPE html>
+<html lang="en" charset="utf-8">
+<head>
+  <link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'><text x='0' y='14' font-size='16'>☕</text></svg>">
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
+  <title>{{ '{{' }} .StatusCode {{ '}}' }} {{ '{{' }} .Title {{ '}}' }}</title>
+  <style>
+    :root {
+      --bg: #282828;
+      --bg-alt: #1d2021;
+      --fg: #ebdbb2;
+      --red: #fb4934;
+      --blue: #83a598;
+    }
+    html, body {
+      margin: 0; padding: 0;
+      height: 100%;
+      background-color: var(--bg);
+      color: var(--fg);
+      font-family: monospace;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+    }
+    .container {
+      background-color: var(--bg-alt);
+      border: 2px solid var(--red);
+      padding: 3.5rem;
+      border-radius: 6px;
+      max-width: 1000px;
+      width: 90%;
+      box-shadow: 0 0 8px rgba(0,0,0,0.5);
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+    }
+    .status {
+      font-size: 6rem;
+      margin: 0;
+      color: var(--red);
+      line-height: 1;
+    }
+    .title {
+      font-size: 1.5rem;
+      margin: 0.5rem 0 1rem;
+    }
+    .message {
+      background-color: var(--bg);
+      border: 1px solid var(--blue);
+      padding: 1rem;
+      width: 100%;
+      white-space: pre-wrap;
+      margin-bottom: 1rem;
+    }
+    .button {
+      width: 100%;
+      padding: 0.75rem;
+      background-color: var(--red);
+      color: var(--bg);
+      border: none;
+      text-transform: uppercase;
+      font-weight: bold;
+      cursor: pointer;
+      transition: background 0.2s;
+      margin-top: 0.5rem;
+    }
+    .button:hover {
+      background-color: #cc241d;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="status">{{ '{{' }} .StatusCode {{ '}}' }}</div>
+    <div class="title">{{ '{{' }} .Title {{ '}}' }}</div>
+    {{ '{{' }} if or .Message .RequestID {{ '}}' }}
+    <div class="message">
+      {{ '{{' }} if .Message {{ '}}' }}
+      {{ '{{' }} .Message {{ '}}' }}
+      {{ '{{' }} end {{ '}}' }}
+      {{ '{{' }} if .RequestID {{ '}}' }}
+      Request ID: {{ '{{' }} .RequestID {{ '}}' }}
+      {{ '{{' }} end {{ '}}' }}
+    </div>
+    {{ '{{' }} end {{ '}}' }}
+    {{ '{{' }} if .Redirect {{ '}}' }}
+    <form method="GET" action="{{ '{{' }} .Redirect {{ '}}' }}" style="width:100%;">
+      <button type="submit" class="button">Go Back</button>
+    </form>
+    {{ '{{' }} end {{ '}}' }}
+  </div>
+</body>
+</html>
+{{ '{{' }}end{{ '}}' }}
diff --git a/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/sign_in.html b/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/sign_in.html
new file mode 100644
index 0000000..17d3718
--- /dev/null
+++ b/playbooks/roles/traefik/templates/volumes/oauth2proxy/templates/sign_in.html
@@ -0,0 +1,72 @@
+{{ '{{' }}define "sign_in.html"{{ '}}' }}
+<!DOCTYPE html>
+<html lang="en" charset="utf-8">
+<head>
+  <link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'><text x='0' y='14' font-size='16'>☕</text></svg>">
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
+  <title>Sign In</title>
+  <style>
+    * {
+      font-family: 'monospace';
+    }
+    :root {
+      --bg: #282828;
+      --bg-alt: #1d2021;
+      --fg: #ebdbb2;
+      --green: #b8bb26;
+      --yellow: #fabd2f;
+    }
+    html, body {
+      margin: 0; padding: 0;
+      height: 100%;
+      background-color: var(--bg);
+      color: var(--fg);
+      font-family: monospace;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+    }
+    .container {
+      background-color: var(--bg-alt);
+      border: 2px solid var(--green);
+      padding: 3.5rem;
+      border-radius: 6px;
+      max-width: 1000px;
+      width: 90%;
+      box-shadow: 0 0 8px rgba(0,0,0,0.5);
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+    }
+    .button {
+      width: 100%;
+      padding: 0.75rem;
+      background-color: var(--green);
+      color: var(--bg);
+      border: none;
+      text-transform: uppercase;
+      font-weight: bold;
+      cursor: pointer;
+      transition: background 0.2s;
+      margin-top: 1rem;
+    }
+    .button:hover {
+      background-color: var(--yellow);
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <pre class="logo">{{ logo }}</pre>
+    <form method="GET" action="{{ '{{' }} .ProxyPrefix {{ '}}' }}/start" style="width: 100%; display: flex; flex-direction: column;">
+      <input type="hidden" name="rd" value="{{ '{{' }} .Redirect {{ '}}' }}">
+      {{ '{{' }} if .SignInMessage {{ '}}' }}
+      <p>{{ '{{' }} .SignInMessage {{ '}}' }}</p>
+      {{ '{{' }} end {{ '}}' }}
+      <button type="submit" class="button">Sign in with {{ '{{' }} .ProviderName {{ '}}' }}</button>
+    </form>
+  </div>
+</body>
+</html>
+{{ '{{' }}end{{ '}}' }}
-- 
cgit v1.2.3-70-g09d2