WIP: jameicavnc an uffd

4a99d399 · jabertwo · 4b5cbf9f · 4a99d399 · 4a99d399 · 4a99d399
Commit 4a99d399 authored 1 year ago by jabertwo
--- a/site.yml
+++ b/site.yml
@@ -386,6 +386,7 @@
    - { 
        role: verwaltung/docker_jameica, tags: [ jameicavnc, docker_services ],
        servicename: "jameicavnc",
+        basedir: /srv/jameica-vnc,
        domain: "verwaltung-jameica.warpzone.ms"
      }
    - { 

--- a/testserver/docker_jameica/templates/docker-compose.yml
+++ b/testserver/docker_jameica/templates/docker-compose.yml
@@ -4,8 +4,8 @@ services:
    build: .
    restart: always
    environment:
-      DISPLAY_WIDTH: 1440
+      DISPLAY_WIDTH: 1920
-      DISPLAY_HEIGHT: 900
+      DISPLAY_HEIGHT: 1080
      RUN_XTERM: "no"
    volumes:
      - /srv/jameica:/jameica/
@@ -13,6 +13,7 @@ services:
      - {{basedir}}/work:/jameica-work/
    networks:
      - default
+      - web
    labels:
      - com.centurylinklabs.watchtower.enable=false
      - traefik.enable=true

--- a/verwaltung/docker_jameica/tasks/main.yml
+++ b/verwaltung/docker_jameica/tasks/main.yml
 ---
 - include_tasks: ../functions/get_secret.yml
  with_items:
-   - { path: /srv/ldap/secret/ldap_readonly_pass,  length: -1 }
+    - { path: "{{ basedir }}/secrets/forward_auth_secret", length: 64 }
+    - { path: "{{ basedir }}/secrets/oauth_client_secret", length: 64 }
 - name: "create folder struct for {{ servicename }}"
  file: 
    path: "{{item}}" 
    state: "directory"
  with_items:
-    - "/srv/jameica-vnc/"
+    - "{{basedir}}/"
-    - "/srv/jameica-vnc/work"
+    - "{{basedir}}/work"
+    - "{{basedir}}/secrets"
 - name: Konfig-Dateien erstellen
  template: 
    src: "{{item}}" 
-    dest: "/srv/jameica-vnc/{{item}}"
+    dest: "{{basedir}}/{{item}}"
  with_items:
    - "docker-compose.yml"
    - "Dockerfile"
    - "jameica.conf"
    - "jameica.sh"
-    - "nginx.conf"
  register: config_files
 - name: "stop {{ servicename }} docker"

--- a/verwaltung/docker_jameica/templates/docker-compose.yml
+++ b/verwaltung/docker_jameica/templates/docker-compose.yml
@@ -4,54 +4,49 @@ services:
    build: .
    restart: always
    environment:
-      DISPLAY_WIDTH: 1440
+      DISPLAY_WIDTH: 1920
-      DISPLAY_HEIGHT: 900
+      DISPLAY_HEIGHT: 1080
      RUN_XTERM: "no"
    volumes:
      - /srv/jameica:/jameica/
      - /srv/data-jameica:/jameica-data/
-      - /srv/jameica-vnc/work:/jameica-work/
+      - {{basedir}}/work:/jameica-work/
    networks:
      - default
    labels:
      - com.centurylinklabs.watchtower.enable=false
+      - traefik.enable=true
-  ldap_auth:
+      - traefik.http.routers.{{ servicename }}.middlewares={{ servicename }}-auth
-    image: pinepain/ldap-auth-proxy:latest
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
-    restart: always
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
-    environment:
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8080
-      LOG_LEVEL: "info"
-      LISTEN: ":8888"
-      LDAP_SERVER: "ldap://{{ ldap_ip_ext }}"
-      LDAP_BASE: "{{ ldap_base_dn }}"
-      LDAP_BIND_DN: "{{ ldap_readonly_bind_dn }}"
-      LDAP_BIND_PASSWORD: "{{ ldap_readonly_pass }}"
-      #(&(uid=%s)(memberof=CN=verwaltung,OU=groups,DC=warpzone,DC=ms))
-      LDAP_USER_FILTER: "(&(uid=%s)(memberof=CN=vorstand,OU=groups,DC=warpzone,DC=ms))"
-      #LDAP_GROUP_FILTER: "(&(objectClass=groupOfUniqueNames)(member=uid=%s,ou=Users,o=${OID},dc=jumpcloud,dc=com))"
-      HEADERS_MAP: "X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn"
-    networks:
-      - default
-  nginx:
+  auth:
-    image: nginx:1
+    image: thomseddon/traefik-forward-auth:2.2
    restart: always
-    depends_on:
+    environment: 
-      - vnc
+      LOG_LEVEL: info
-      - ldap_auth
+      DEFAULT_ACTION: auth
-    volumes:
+      DEFAULT_PROVIDER: generic-oauth
-      - /srv/jameica-vnc/nginx.conf:/etc/nginx/conf.d/default.conf:ro      
+      SECRET: {{ forward_auth_secret }}
+      PROVIDERS_GENERIC_OAUTH_AUTH_URL: {{ oauth_global.authorize_url }}
+      PROVIDERS_GENERIC_OAUTH_TOKEN_URL: {{ oauth_global.token_url }}
+      PROVIDERS_GENERIC_OAUTH_USER_URL: {{ oauth_global.userinfo_url }}
+      PROVIDERS_GENERIC_OAUTH_CLIENT_ID: {{ servicename }}
+      PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET: {{ oauth_client_secret }}
+      PROVIDERS_GENERIC_OAUTH_SCOPE: profile
+      PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE: header
    labels:
+      - com.centurylinklabs.watchtower.enable=false
      - traefik.enable=true
-      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.address=http://auth:4181
-      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.authResponseHeaders=X-Forwarded-User
-      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
+      - traefik.http.services.{{ servicename }}-auth.loadbalancer.server.port=4181
    networks:
      - default
      - web
 networks:
  web:
    external: true    
\ No newline at end of file
--- a/verwaltung/docker_jameica/templates/nginx.conf
+++ b/verwaltung/docker_jameica/templates/nginx.conf
-server {
-    listen 80;
-    listen [::]:80;
-    server_name verwaltung-jameica.warpzone.ms;
-    root /dev/null;
-    index index.html;
-    location = / {
-       return 301 https://$host/vnc.html;
-    }
-	location /  {
-            # Enable Authentication 
-            auth_request /auth-proxy;
-            # Enable websockets for the noVNC console to work
-            proxy_http_version 1.1;
-	        proxy_set_header Connection $http_connection;
-	        proxy_set_header Origin http://$host;
-	        proxy_set_header Upgrade $http_upgrade;
-            # VNC connection timeout
-            proxy_read_timeout 61s;
-            # Disable cache
-            proxy_buffering off;
-        	proxy_set_header        Host $host;
-        	proxy_set_header        X-Real-IP $remote_addr;
-	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-        	proxy_set_header        X-Forwarded-Proto $scheme;
-	        proxy_pass      http://vnc:8080/;
-        	proxy_redirect  off;
-    }
-    location = /auth-proxy {
-        internal;
-        proxy_pass http://ldap_auth:8888/auth;
-        proxy_pass_request_body off;
-        proxy_set_header Content-Length "";
-        proxy_cache_valid 202 10m;
-        # The following directive adds the cookie to the cache key
-        proxy_cache_key "$http_authorization";
-        proxy_set_header X-Ldap-Group "*";
-    }
-}
\ No newline at end of file