Digitalboard/digitalboard.core
5
2
Fork 0
Code Pull requests Releases Packages Activity Actions

feat: add oidc provisioning for opencloud

Browse source 
Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
This commit is contained in:
Bert-Jan Fikse 2026-03-05 15:36:12 +01:00
parent 59cd27a031
commit 2dc9097707
Signed by: bert-jan
GPG key ID: C1E0AB516AC16D1A
4 changed files with 52 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

15
roles/opencloud/defaults/main.yml
View file

@ -21,4 +21,17 @@ opencloud_extra_hosts: []
# Traefik configuration # Traefik configuration
opencloud_traefik_network: "proxy" opencloud_traefik_network: "proxy"
opencloud_use_ssl: true opencloud_use_ssl: true
# OIDC configuration (leave empty to use built-in IDP)
opencloud_oidc_issuer: ""
opencloud_oidc_client_id: "opencloud"
opencloud_oidc_client_secret: ""
opencloud_oidc_rewrite_wellknown: true
opencloud_oidc_user_claim: "preferred_username"
opencloud_oidc_user_cs3_claim: "username"
opencloud_oidc_account_edit_url: ""
opencloud_oidc_autoprovision_accounts: true
# CSP configuration (extra URLs to allow in connect-src)
opencloud_csp_extra_connect_src: []

8
roles/opencloud/tasks/main.yml
View file

@ -20,6 +20,14 @@
state: directory state: directory
mode: '0755' mode: '0755'
- name: Create CSP override file
template:
src: csp-override.yaml.j2
dest: "{{ opencloud_docker_volume_dir }}/config/csp-override.yaml"
mode: '0644'
when: opencloud_csp_extra_connect_src | length > 0
notify: restart opencloud
- name: Create docker-compose file for opencloud - name: Create docker-compose file for opencloud
template: template:
src: docker-compose.yml.j2 src: docker-compose.yml.j2

13
roles/opencloud/templates/csp-override.yaml.j2 Normal file
View file

@ -0,0 +1,13 @@
directives:
connect-src:
- "'self'"
- "blob:"
- "https://raw.githubusercontent.com/opencloud-eu/awesome-apps/"
- "https://update.opencloud.eu/"
{% for url in opencloud_csp_extra_connect_src %}
- "{{ url }}"
{% endfor %}
script-src:
- "'self'"
- "'unsafe-inline'"
- "'unsafe-eval'"

17
roles/opencloud/templates/docker-compose.yml.j2
View file

@ -18,7 +18,24 @@ services:
OC_INSECURE: "true" OC_INSECURE: "true"
OC_LOG_LEVEL: "{{ opencloud_log_level }}" OC_LOG_LEVEL: "{{ opencloud_log_level }}"
PROXY_TLS: "false" PROXY_TLS: "false"
{% if opencloud_csp_extra_connect_src | length > 0 %}
PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION: "/etc/ocis/csp-override.yaml"
{% endif %}
IDM_ADMIN_PASSWORD: "{{ opencloud_admin_password }}" IDM_ADMIN_PASSWORD: "{{ opencloud_admin_password }}"
{% if opencloud_oidc_issuer %}
OC_OIDC_ISSUER: "{{ opencloud_oidc_issuer }}"
OC_OIDC_CLIENT_ID: "{{ opencloud_oidc_client_id }}"
{% if opencloud_oidc_client_secret %}
OC_OIDC_CLIENT_SECRET: "{{ opencloud_oidc_client_secret }}"
{% endif %}
PROXY_OIDC_REWRITE_WELLKNOWN: "{{ opencloud_oidc_rewrite_wellknown | string | lower }}"
PROXY_USER_OIDC_CLAIM: "{{ opencloud_oidc_user_claim }}"
PROXY_USER_CS3_CLAIM: "{{ opencloud_oidc_user_cs3_claim }}"
PROXY_AUTOPROVISION_ACCOUNTS: "{{ opencloud_oidc_autoprovision_accounts | string | lower }}"
{% if opencloud_oidc_account_edit_url %}
WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "{{ opencloud_oidc_account_edit_url }}"
{% endif %}
{% endif %}
networks: networks:
- {{ opencloud_traefik_network }} - {{ opencloud_traefik_network }}
{% if opencloud_extra_hosts is defined and opencloud_extra_hosts | length > 0 %} {% if opencloud_extra_hosts is defined and opencloud_extra_hosts | length > 0 %}