From 7a6b5415c44f481d82d15e3683c9a93e21a4eb36 Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <6413499+elberfeld@users.noreply.github.com>
Date: Fri, 31 May 2024 22:10:16 +0200
Subject: [PATCH] VPN Server oidc config

---
 testserver/docker_vpnserver/Documentation.md  | 40 +++++++++++++++----
 testserver/docker_vpnserver/tasks/main.yml    |  2 +-
 .../templates/{config.yml => config.yaml}     | 23 ++---------
 .../templates/docker-compose.yml              |  5 +--
 testserver/docker_wordpress/Documentation.md  |  6 +--
 5 files changed, 40 insertions(+), 36 deletions(-)
 rename testserver/docker_vpnserver/templates/{config.yml => config.yaml} (50%)

diff --git a/testserver/docker_vpnserver/Documentation.md b/testserver/docker_vpnserver/Documentation.md
index c1c78942..b47eec0b 100644
--- a/testserver/docker_vpnserver/Documentation.md
+++ b/testserver/docker_vpnserver/Documentation.md
@@ -1,8 +1,32 @@
-1. /srv/vpnserver und /srv/vpnserver/secrets erstellen, "wg genkey > wg_private_key" in /srv/vpnserver/secrets
-2. deployen
-3.  uffd configurieren
-    1. neuen Dienst erstellen
-    2. OAuth2 Client-ID erstellen
-        - Client-ID: vpnserver
-        - Client-Secret: /srv/vpnserver/secrets/oauth_client_secret
-        - Redirect-URIs: https://<vpnserver-domain>/user/oauth2/uffd/callback
\ No newline at end of file
+
+
+# Overview 
+
+* Authentication to VPNServer is only possible with an account in uffd, regular authentication is disabled (can be enabled as fallback)
+* All users with group 'vpnserver_access' can access the VPNServer  
+
+# Setup OIDC Authentication via uffd 
+
+Uffd Reference: https://git.cccv.de/uffd
+
+
+## Setup VPNServer
+
+* Wireguard secret initial erstellen: ```wg genkey > wg_private_key``` in /srv/vpnserver/secrets
+
+
+## Setup in uffd
+
+Create Groups:
+
+- vpnserver_access: General Access to VPNServer
+
+Create a Service / OAuth Client: 
+
+Only Users with goup nextcloud_access can access Nextcloud 
+
+Client-ID: vpnserver
+Client-Secret: from file oauth_client_secret on the server
+Redirect-URIs: 
+* https://vpn.test-warpzone.de/callback
+
diff --git a/testserver/docker_vpnserver/tasks/main.yml b/testserver/docker_vpnserver/tasks/main.yml
index 997783a7..21147c81 100644
--- a/testserver/docker_vpnserver/tasks/main.yml
+++ b/testserver/docker_vpnserver/tasks/main.yml
@@ -22,7 +22,7 @@
     dest: "{{ basedir }}/{{ item }}"
   with_items:
     - docker-compose.yml
-    - config.yml
+    - config.yaml
   register: config
 
 
diff --git a/testserver/docker_vpnserver/templates/config.yml b/testserver/docker_vpnserver/templates/config.yaml
similarity index 50%
rename from testserver/docker_vpnserver/templates/config.yml
rename to testserver/docker_vpnserver/templates/config.yaml
index c4c8cf96..8f0a143d 100644
--- a/testserver/docker_vpnserver/templates/config.yml
+++ b/testserver/docker_vpnserver/templates/config.yaml
@@ -1,8 +1,8 @@
 # You can disable the builtin admin account by leaving out 'adminPassword'. Requires another backend to be configured.
-adminPassword: "{{ wg_admin_pass }}"
+# adminPassword: "{{ wg_admin_pass }}"
 # adminUsername sets the user for the Basic/Simple Auth admin account if adminPassword is set.
 # Every user of the basic and simple backend with a username matching adminUsername will have admin privileges.
-adminUsername: "vpnadmin"
+# adminUsername: "vpnadmin"
 # Configure zero or more authentication backends
 auth:
   oidc:
@@ -17,7 +17,7 @@ auth:
     # The path can be almost anything as long as it doesn't
     # conflict with a path that the web UI uses.
     # /callback is recommended.
-    redirectURL: "{{ oidc_global.provider_url }}/callback"
+    redirectURL: "https://{{ domain }}/callback"
     # List of scopes to request claims for. Must include 'openid'.
     # Must include 'email' if 'emailDomains' is used. Can include 'profile' to show the user's name in the UI.
     # Add custom ones if required for 'claimMapping'.
@@ -26,20 +26,3 @@ auth:
       - openid
       - profile
       - email
-      - groups
-    # You can optionally restrict access to users with an email address
-    # that matches an allowed domain.
-    # If empty or omitted then all email domains will be allowed.
-    # This is an advanced feature that allows you to define OIDC claim mapping expressions.
-    # This feature is used to define wg-access-server admins based off a claim in your OIDC token.
-    # A JSON-like object of claimKey: claimValue pairs as returned by the issuer is passed to the evaluation function. 
-    # See https://github.com/Knetic/govaluate/blob/9aa49832a739dcd78a5542ff189fb82c3e423116/MANUAL.md for the syntax.
-    claimMapping:
-      # This example works if you have a custom group_membership claim which is a list of strings 
-      admin: "'vpnserver_admin' in group_membership"
-      access: "'vpnserver_access' in group_membership"
-    # Let wg-access-server retrieve the claims from the ID Token instead of querying the UserInfo endpoint.
-    # Some OIDC authorization provider implementations (e.g. ADFS) only publish claims in the ID Token.
-    claimsFromIDToken: false
-    # require this claim to be "true" to allow access for the user
-    accessClaim: "access"
\ No newline at end of file
diff --git a/testserver/docker_vpnserver/templates/docker-compose.yml b/testserver/docker_vpnserver/templates/docker-compose.yml
index 6616554c..ac208974 100644
--- a/testserver/docker_vpnserver/templates/docker-compose.yml
+++ b/testserver/docker_vpnserver/templates/docker-compose.yml
@@ -10,15 +10,12 @@ services:
       net.ipv6.conf.all.forwarding: 1
     volumes:
       - "{{ basedir }}/data:/data"
-      - "{{ basedir }}/config.yaml:/config.yml" # if you have a custom config file
+      - "{{ basedir }}/config.yaml:/config.yaml" 
     ports:
-    #  - "8000:8000/tcp"
       - "51820:51820/udp"
     devices:
       - "/dev/net/tun:/dev/net/tun"
     environment:
-      - "WG_ADMIN_USERNAME=vpnadmin"
-      - "WG_ADMIN_PASSWORD={{ wg_admin_pass }}"
       - "WG_WIREGUARD_PRIVATE_KEY={{ wg_private_key }}"
       - "WG_VPN_CIDRV6=0" # to disable IPv6
       - "WG_EXTERNAL_HOST={{ domain }}"
diff --git a/testserver/docker_wordpress/Documentation.md b/testserver/docker_wordpress/Documentation.md
index 5ebd4b77..997e4da1 100644
--- a/testserver/docker_wordpress/Documentation.md
+++ b/testserver/docker_wordpress/Documentation.md
@@ -40,15 +40,15 @@ Pluin settings:
 
 Create Groups:
 
-- wordpress_access: General Access to Nextcloud 
+- wordpress_access: General Access to Wordpress 
 - wordpress_admin: This Group will be Mapped to the Group admin in Wordpress 
 
 Create a Service / OAuth Client: 
 
-Only Users with goup nextcloud_access can access Nextcloud 
+Only Users with goup wordpress_access can access Wordpress 
 
 Client-ID: wordpress 
-Client-Secret: from file nextcloud_oidc_secret on the server
+Client-Secret: from file wordpress_client_secret on the server
 Redirect-URIs: 
 * https://www.test-warpzone.de/wp-admin/admin-ajax.php?action=openid-connect-authorize
 
-- 
GitLab