From 4a99d399e465056f26e9aad9b1c68ddfb192206e Mon Sep 17 00:00:00 2001 From: jabertwo <git@jabertwo.de> Date: Wed, 17 Jul 2024 22:51:56 +0200 Subject: [PATCH] WIP: jameicavnc an uffd --- site.yml | 1 + .../templates/docker-compose.yml | 5 +- verwaltung/docker_jameica/tasks/main.yml | 11 ++-- .../templates/docker-compose.yml | 57 +++++++++---------- .../docker_jameica/templates/nginx.conf | 57 ------------------- 5 files changed, 36 insertions(+), 95 deletions(-) delete mode 100644 verwaltung/docker_jameica/templates/nginx.conf diff --git a/site.yml b/site.yml index 6d89934a..97dff204 100644 --- a/site.yml +++ b/site.yml @@ -386,6 +386,7 @@ - { role: verwaltung/docker_jameica, tags: [ jameicavnc, docker_services ], servicename: "jameicavnc", + basedir: /srv/jameica-vnc, domain: "verwaltung-jameica.warpzone.ms" } - { diff --git a/testserver/docker_jameica/templates/docker-compose.yml b/testserver/docker_jameica/templates/docker-compose.yml index 3c3c4435..e0eebb94 100644 --- a/testserver/docker_jameica/templates/docker-compose.yml +++ b/testserver/docker_jameica/templates/docker-compose.yml @@ -4,8 +4,8 @@ services: build: . restart: always environment: - DISPLAY_WIDTH: 1440 - DISPLAY_HEIGHT: 900 + DISPLAY_WIDTH: 1920 + DISPLAY_HEIGHT: 1080 RUN_XTERM: "no" volumes: - /srv/jameica:/jameica/ @@ -13,6 +13,7 @@ services: - {{basedir}}/work:/jameica-work/ networks: - default + - web labels: - com.centurylinklabs.watchtower.enable=false - traefik.enable=true diff --git a/verwaltung/docker_jameica/tasks/main.yml b/verwaltung/docker_jameica/tasks/main.yml index c8a11900..fae41ec7 100644 --- a/verwaltung/docker_jameica/tasks/main.yml +++ b/verwaltung/docker_jameica/tasks/main.yml @@ -1,26 +1,27 @@ --- - include_tasks: ../functions/get_secret.yml with_items: - - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 } + - { path: "{{ basedir }}/secrets/forward_auth_secret", length: 64 } + - { path: "{{ basedir }}/secrets/oauth_client_secret", length: 64 } - name: "create folder struct for {{ servicename }}" file: path: "{{item}}" state: "directory" with_items: - - "/srv/jameica-vnc/" - - "/srv/jameica-vnc/work" + - "{{basedir}}/" + - "{{basedir}}/work" + - "{{basedir}}/secrets" - name: Konfig-Dateien erstellen template: src: "{{item}}" - dest: "/srv/jameica-vnc/{{item}}" + dest: "{{basedir}}/{{item}}" with_items: - "docker-compose.yml" - "Dockerfile" - "jameica.conf" - "jameica.sh" - - "nginx.conf" register: config_files - name: "stop {{ servicename }} docker" diff --git a/verwaltung/docker_jameica/templates/docker-compose.yml b/verwaltung/docker_jameica/templates/docker-compose.yml index 01df70d9..6a1ed1e7 100644 --- a/verwaltung/docker_jameica/templates/docker-compose.yml +++ b/verwaltung/docker_jameica/templates/docker-compose.yml @@ -4,54 +4,49 @@ services: build: . restart: always environment: - DISPLAY_WIDTH: 1440 - DISPLAY_HEIGHT: 900 + DISPLAY_WIDTH: 1920 + DISPLAY_HEIGHT: 1080 RUN_XTERM: "no" volumes: - /srv/jameica:/jameica/ - /srv/data-jameica:/jameica-data/ - - /srv/jameica-vnc/work:/jameica-work/ + - {{basedir}}/work:/jameica-work/ networks: - default labels: - com.centurylinklabs.watchtower.enable=false - - ldap_auth: - image: pinepain/ldap-auth-proxy:latest - restart: always - environment: - LOG_LEVEL: "info" - LISTEN: ":8888" - LDAP_SERVER: "ldap://{{ ldap_ip_ext }}" - LDAP_BASE: "{{ ldap_base_dn }}" - LDAP_BIND_DN: "{{ ldap_readonly_bind_dn }}" - LDAP_BIND_PASSWORD: "{{ ldap_readonly_pass }}" - #(&(uid=%s)(memberof=CN=verwaltung,OU=groups,DC=warpzone,DC=ms)) - LDAP_USER_FILTER: "(&(uid=%s)(memberof=CN=vorstand,OU=groups,DC=warpzone,DC=ms))" - #LDAP_GROUP_FILTER: "(&(objectClass=groupOfUniqueNames)(member=uid=%s,ou=Users,o=${OID},dc=jumpcloud,dc=com))" - HEADERS_MAP: "X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn" - networks: - - default + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.middlewares={{ servicename }}-auth + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8080 - nginx: - image: nginx:1 + auth: + image: thomseddon/traefik-forward-auth:2.2 restart: always - depends_on: - - vnc - - ldap_auth - volumes: - - /srv/jameica-vnc/nginx.conf:/etc/nginx/conf.d/default.conf:ro + environment: + LOG_LEVEL: info + DEFAULT_ACTION: auth + DEFAULT_PROVIDER: generic-oauth + SECRET: {{ forward_auth_secret }} + PROVIDERS_GENERIC_OAUTH_AUTH_URL: {{ oauth_global.authorize_url }} + PROVIDERS_GENERIC_OAUTH_TOKEN_URL: {{ oauth_global.token_url }} + PROVIDERS_GENERIC_OAUTH_USER_URL: {{ oauth_global.userinfo_url }} + PROVIDERS_GENERIC_OAUTH_CLIENT_ID: {{ servicename }} + PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET: {{ oauth_client_secret }} + PROVIDERS_GENERIC_OAUTH_SCOPE: profile + PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE: header labels: + - com.centurylinklabs.watchtower.enable=false - traefik.enable=true - - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) - - traefik.http.routers.{{ servicename }}.entrypoints=websecure - - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 + - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.address=http://auth:4181 + - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.authResponseHeaders=X-Forwarded-User + - traefik.http.services.{{ servicename }}-auth.loadbalancer.server.port=4181 networks: - default - web - networks: web: external: true \ No newline at end of file diff --git a/verwaltung/docker_jameica/templates/nginx.conf b/verwaltung/docker_jameica/templates/nginx.conf deleted file mode 100644 index 9e21b484..00000000 --- a/verwaltung/docker_jameica/templates/nginx.conf +++ /dev/null @@ -1,57 +0,0 @@ - -server { - - listen 80; - listen [::]:80; - - server_name verwaltung-jameica.warpzone.ms; - root /dev/null; - index index.html; - - location = / { - return 301 https://$host/vnc.html; - } - - location / { - - # Enable Authentication - auth_request /auth-proxy; - - # Enable websockets for the noVNC console to work - proxy_http_version 1.1; - proxy_set_header Connection $http_connection; - proxy_set_header Origin http://$host; - proxy_set_header Upgrade $http_upgrade; - - # VNC connection timeout - proxy_read_timeout 61s; - - # Disable cache - proxy_buffering off; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://vnc:8080/; - proxy_redirect off; - - } - - location = /auth-proxy { - internal; - - proxy_pass http://ldap_auth:8888/auth; - - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - proxy_cache_valid 202 10m; - - # The following directive adds the cookie to the cache key - proxy_cache_key "$http_authorization"; - - proxy_set_header X-Ldap-Group "*"; - } - -} \ No newline at end of file -- GitLab