From 4a99d399e465056f26e9aad9b1c68ddfb192206e Mon Sep 17 00:00:00 2001
From: jabertwo <git@jabertwo.de>
Date: Wed, 17 Jul 2024 22:51:56 +0200
Subject: [PATCH] WIP: jameicavnc an uffd

---
 site.yml                                      |  1 +
 .../templates/docker-compose.yml              |  5 +-
 verwaltung/docker_jameica/tasks/main.yml      | 11 ++--
 .../templates/docker-compose.yml              | 57 +++++++++----------
 .../docker_jameica/templates/nginx.conf       | 57 -------------------
 5 files changed, 36 insertions(+), 95 deletions(-)
 delete mode 100644 verwaltung/docker_jameica/templates/nginx.conf

diff --git a/site.yml b/site.yml
index 6d89934a..97dff204 100644
--- a/site.yml
+++ b/site.yml
@@ -386,6 +386,7 @@
     - { 
         role: verwaltung/docker_jameica, tags: [ jameicavnc, docker_services ],
         servicename: "jameicavnc",
+        basedir: /srv/jameica-vnc,
         domain: "verwaltung-jameica.warpzone.ms"
       }
     - { 
diff --git a/testserver/docker_jameica/templates/docker-compose.yml b/testserver/docker_jameica/templates/docker-compose.yml
index 3c3c4435..e0eebb94 100644
--- a/testserver/docker_jameica/templates/docker-compose.yml
+++ b/testserver/docker_jameica/templates/docker-compose.yml
@@ -4,8 +4,8 @@ services:
     build: .
     restart: always
     environment:
-      DISPLAY_WIDTH: 1440
-      DISPLAY_HEIGHT: 900
+      DISPLAY_WIDTH: 1920
+      DISPLAY_HEIGHT: 1080
       RUN_XTERM: "no"
     volumes:
       - /srv/jameica:/jameica/
@@ -13,6 +13,7 @@ services:
       - {{basedir}}/work:/jameica-work/
     networks:
       - default
+      - web
     labels:
       - com.centurylinklabs.watchtower.enable=false
       - traefik.enable=true
diff --git a/verwaltung/docker_jameica/tasks/main.yml b/verwaltung/docker_jameica/tasks/main.yml
index c8a11900..fae41ec7 100644
--- a/verwaltung/docker_jameica/tasks/main.yml
+++ b/verwaltung/docker_jameica/tasks/main.yml
@@ -1,26 +1,27 @@
 ---
 - include_tasks: ../functions/get_secret.yml
   with_items:
-   - { path: /srv/ldap/secret/ldap_readonly_pass,  length: -1 }
+    - { path: "{{ basedir }}/secrets/forward_auth_secret", length: 64 }
+    - { path: "{{ basedir }}/secrets/oauth_client_secret", length: 64 }
   
 - name: "create folder struct for {{ servicename }}"
   file: 
     path: "{{item}}" 
     state: "directory"
   with_items:
-    - "/srv/jameica-vnc/"
-    - "/srv/jameica-vnc/work"
+    - "{{basedir}}/"
+    - "{{basedir}}/work"
+    - "{{basedir}}/secrets"
 
 - name: Konfig-Dateien erstellen
   template: 
     src: "{{item}}" 
-    dest: "/srv/jameica-vnc/{{item}}"
+    dest: "{{basedir}}/{{item}}"
   with_items:
     - "docker-compose.yml"
     - "Dockerfile"
     - "jameica.conf"
     - "jameica.sh"
-    - "nginx.conf"
   register: config_files
 
 - name: "stop {{ servicename }} docker"
diff --git a/verwaltung/docker_jameica/templates/docker-compose.yml b/verwaltung/docker_jameica/templates/docker-compose.yml
index 01df70d9..6a1ed1e7 100644
--- a/verwaltung/docker_jameica/templates/docker-compose.yml
+++ b/verwaltung/docker_jameica/templates/docker-compose.yml
@@ -4,54 +4,49 @@ services:
     build: .
     restart: always
     environment:
-      DISPLAY_WIDTH: 1440
-      DISPLAY_HEIGHT: 900
+      DISPLAY_WIDTH: 1920
+      DISPLAY_HEIGHT: 1080
       RUN_XTERM: "no"
     volumes:
       - /srv/jameica:/jameica/
       - /srv/data-jameica:/jameica-data/
-      - /srv/jameica-vnc/work:/jameica-work/
+      - {{basedir}}/work:/jameica-work/
     networks:
       - default
     labels:
       - com.centurylinklabs.watchtower.enable=false
-
-  ldap_auth:
-    image: pinepain/ldap-auth-proxy:latest
-    restart: always
-    environment:
-      LOG_LEVEL: "info"
-      LISTEN: ":8888"
-      LDAP_SERVER: "ldap://{{ ldap_ip_ext }}"
-      LDAP_BASE: "{{ ldap_base_dn }}"
-      LDAP_BIND_DN: "{{ ldap_readonly_bind_dn }}"
-      LDAP_BIND_PASSWORD: "{{ ldap_readonly_pass }}"
-      #(&(uid=%s)(memberof=CN=verwaltung,OU=groups,DC=warpzone,DC=ms))
-      LDAP_USER_FILTER: "(&(uid=%s)(memberof=CN=vorstand,OU=groups,DC=warpzone,DC=ms))"
-      #LDAP_GROUP_FILTER: "(&(objectClass=groupOfUniqueNames)(member=uid=%s,ou=Users,o=${OID},dc=jumpcloud,dc=com))"
-      HEADERS_MAP: "X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn"
-    networks:
-      - default
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.middlewares={{ servicename }}-auth
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8080
 
 
-  nginx:
-    image: nginx:1
+  auth:
+    image: thomseddon/traefik-forward-auth:2.2
     restart: always
-    depends_on:
-      - vnc
-      - ldap_auth
-    volumes:
-      - /srv/jameica-vnc/nginx.conf:/etc/nginx/conf.d/default.conf:ro      
+    environment: 
+      LOG_LEVEL: info
+      DEFAULT_ACTION: auth
+      DEFAULT_PROVIDER: generic-oauth
+      SECRET: {{ forward_auth_secret }}
+      PROVIDERS_GENERIC_OAUTH_AUTH_URL: {{ oauth_global.authorize_url }}
+      PROVIDERS_GENERIC_OAUTH_TOKEN_URL: {{ oauth_global.token_url }}
+      PROVIDERS_GENERIC_OAUTH_USER_URL: {{ oauth_global.userinfo_url }}
+      PROVIDERS_GENERIC_OAUTH_CLIENT_ID: {{ servicename }}
+      PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET: {{ oauth_client_secret }}
+      PROVIDERS_GENERIC_OAUTH_SCOPE: profile
+      PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE: header
     labels:
+      - com.centurylinklabs.watchtower.enable=false
       - traefik.enable=true
-      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
-      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
-      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
+      - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.address=http://auth:4181
+      - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.authResponseHeaders=X-Forwarded-User
+      - traefik.http.services.{{ servicename }}-auth.loadbalancer.server.port=4181
     networks:
       - default
       - web
 
-
 networks:
   web:
     external: true    
\ No newline at end of file
diff --git a/verwaltung/docker_jameica/templates/nginx.conf b/verwaltung/docker_jameica/templates/nginx.conf
deleted file mode 100644
index 9e21b484..00000000
--- a/verwaltung/docker_jameica/templates/nginx.conf
+++ /dev/null
@@ -1,57 +0,0 @@
-
-server {
-
-    listen 80;
-    listen [::]:80;
-
-    server_name verwaltung-jameica.warpzone.ms;
-    root /dev/null;
-    index index.html;
-
-    location = / {
-       return 301 https://$host/vnc.html;
-    }
-
-	location /  {
- 
-            # Enable Authentication 
-            auth_request /auth-proxy;
-
-            # Enable websockets for the noVNC console to work
-            proxy_http_version 1.1;
-	        proxy_set_header Connection $http_connection;
-	        proxy_set_header Origin http://$host;
-	        proxy_set_header Upgrade $http_upgrade;
-
-            # VNC connection timeout
-            proxy_read_timeout 61s;
-
-            # Disable cache
-            proxy_buffering off;
-
-        	proxy_set_header        Host $host;
-        	proxy_set_header        X-Real-IP $remote_addr;
-	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-        	proxy_set_header        X-Forwarded-Proto $scheme;
-
-	        proxy_pass      http://vnc:8080/;
-        	proxy_redirect  off;
-
-    }
-
-    location = /auth-proxy {
-        internal;
-
-        proxy_pass http://ldap_auth:8888/auth;
-
-        proxy_pass_request_body off;
-        proxy_set_header Content-Length "";
-        proxy_cache_valid 202 10m;
-
-        # The following directive adds the cookie to the cache key
-        proxy_cache_key "$http_authorization";
-
-        proxy_set_header X-Ldap-Group "*";
-    }
-
-}
\ No newline at end of file
-- 
GitLab