From 2dc9097707532ae67a31f4d4863d4d81e41728ac Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Thu, 5 Mar 2026 15:36:12 +0100 Subject: [PATCH] feat: add oidc provisioning for opencloud Signed-off-by: Bert-Jan Fikse --- roles/opencloud/defaults/main.yml | 15 ++++++++++++++- roles/opencloud/tasks/main.yml | 8 ++++++++ roles/opencloud/templates/csp-override.yaml.j2 | 13 +++++++++++++ roles/opencloud/templates/docker-compose.yml.j2 | 17 +++++++++++++++++ 4 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 roles/opencloud/templates/csp-override.yaml.j2 diff --git a/roles/opencloud/defaults/main.yml b/roles/opencloud/defaults/main.yml index 67ef6a4..0de06e7 100644 --- a/roles/opencloud/defaults/main.yml +++ b/roles/opencloud/defaults/main.yml @@ -21,4 +21,17 @@ opencloud_extra_hosts: [] # Traefik configuration opencloud_traefik_network: "proxy" -opencloud_use_ssl: true \ No newline at end of file +opencloud_use_ssl: true + +# OIDC configuration (leave empty to use built-in IDP) +opencloud_oidc_issuer: "" +opencloud_oidc_client_id: "opencloud" +opencloud_oidc_client_secret: "" +opencloud_oidc_rewrite_wellknown: true +opencloud_oidc_user_claim: "preferred_username" +opencloud_oidc_user_cs3_claim: "username" +opencloud_oidc_account_edit_url: "" +opencloud_oidc_autoprovision_accounts: true + +# CSP configuration (extra URLs to allow in connect-src) +opencloud_csp_extra_connect_src: [] \ No newline at end of file diff --git a/roles/opencloud/tasks/main.yml b/roles/opencloud/tasks/main.yml index 65b4c70..b9f980f 100644 --- a/roles/opencloud/tasks/main.yml +++ b/roles/opencloud/tasks/main.yml @@ -20,6 +20,14 @@ state: directory mode: '0755' +- name: Create CSP override file + template: + src: csp-override.yaml.j2 + dest: "{{ opencloud_docker_volume_dir }}/config/csp-override.yaml" + mode: '0644' + when: opencloud_csp_extra_connect_src | length > 0 + notify: restart opencloud + - name: Create docker-compose file for opencloud template: src: docker-compose.yml.j2 diff --git a/roles/opencloud/templates/csp-override.yaml.j2 b/roles/opencloud/templates/csp-override.yaml.j2 new file mode 100644 index 0000000..f71cd9b --- /dev/null +++ b/roles/opencloud/templates/csp-override.yaml.j2 @@ -0,0 +1,13 @@ +directives: + connect-src: + - "'self'" + - "blob:" + - "https://raw.githubusercontent.com/opencloud-eu/awesome-apps/" + - "https://update.opencloud.eu/" +{% for url in opencloud_csp_extra_connect_src %} + - "{{ url }}" +{% endfor %} + script-src: + - "'self'" + - "'unsafe-inline'" + - "'unsafe-eval'" \ No newline at end of file diff --git a/roles/opencloud/templates/docker-compose.yml.j2 b/roles/opencloud/templates/docker-compose.yml.j2 index bc6d2c9..3785869 100644 --- a/roles/opencloud/templates/docker-compose.yml.j2 +++ b/roles/opencloud/templates/docker-compose.yml.j2 @@ -18,7 +18,24 @@ services: OC_INSECURE: "true" OC_LOG_LEVEL: "{{ opencloud_log_level }}" PROXY_TLS: "false" +{% if opencloud_csp_extra_connect_src | length > 0 %} + PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION: "/etc/ocis/csp-override.yaml" +{% endif %} IDM_ADMIN_PASSWORD: "{{ opencloud_admin_password }}" +{% if opencloud_oidc_issuer %} + OC_OIDC_ISSUER: "{{ opencloud_oidc_issuer }}" + OC_OIDC_CLIENT_ID: "{{ opencloud_oidc_client_id }}" +{% if opencloud_oidc_client_secret %} + OC_OIDC_CLIENT_SECRET: "{{ opencloud_oidc_client_secret }}" +{% endif %} + PROXY_OIDC_REWRITE_WELLKNOWN: "{{ opencloud_oidc_rewrite_wellknown | string | lower }}" + PROXY_USER_OIDC_CLAIM: "{{ opencloud_oidc_user_claim }}" + PROXY_USER_CS3_CLAIM: "{{ opencloud_oidc_user_cs3_claim }}" + PROXY_AUTOPROVISION_ACCOUNTS: "{{ opencloud_oidc_autoprovision_accounts | string | lower }}" +{% if opencloud_oidc_account_edit_url %} + WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "{{ opencloud_oidc_account_edit_url }}" +{% endif %} +{% endif %} networks: - {{ opencloud_traefik_network }} {% if opencloud_extra_hosts is defined and opencloud_extra_hosts | length > 0 %}