feat: add oidc provisioning for opencloud

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-03-05 15:36:12 +01:00 · 2026-03-05 15:36:12 +01:00 · 2dc9097707
commit 2dc9097707
parent 59cd27a031
4 changed files with 52 additions and 1 deletions
--- a/roles/opencloud/defaults/main.yml
+++ b/roles/opencloud/defaults/main.yml
@ -22,3 +22,16 @@ opencloud_extra_hosts: []
 # Traefik configuration
 opencloud_traefik_network: "proxy"
 opencloud_use_ssl: true
+
+# OIDC configuration (leave empty to use built-in IDP)
+opencloud_oidc_issuer: ""
+opencloud_oidc_client_id: "opencloud"
+opencloud_oidc_client_secret: ""
+opencloud_oidc_rewrite_wellknown: true
+opencloud_oidc_user_claim: "preferred_username"
+opencloud_oidc_user_cs3_claim: "username"
+opencloud_oidc_account_edit_url: ""
+opencloud_oidc_autoprovision_accounts: true
+
+# CSP configuration (extra URLs to allow in connect-src)
+opencloud_csp_extra_connect_src: []
--- a/roles/opencloud/tasks/main.yml
+++ b/roles/opencloud/tasks/main.yml
@ -20,6 +20,14 @@
    state: directory
    mode: '0755'

+- name: Create CSP override file
+  template:
+    src: csp-override.yaml.j2
+    dest: "{{ opencloud_docker_volume_dir }}/config/csp-override.yaml"
+    mode: '0644'
+  when: opencloud_csp_extra_connect_src | length > 0
+  notify: restart opencloud
+
 - name: Create docker-compose file for opencloud
  template:
    src: docker-compose.yml.j2
--- a/roles/opencloud/templates/csp-override.yaml.j2
+++ b/roles/opencloud/templates/csp-override.yaml.j2
@ -0,0 +1,13 @@
+directives:
+  connect-src:
+    - "'self'"
+    - "blob:"
+    - "https://raw.githubusercontent.com/opencloud-eu/awesome-apps/"
+    - "https://update.opencloud.eu/"
+{% for url in opencloud_csp_extra_connect_src %}
+    - "{{ url }}"
+{% endfor %}
+  script-src:
+    - "'self'"
+    - "'unsafe-inline'"
+    - "'unsafe-eval'"
--- a/roles/opencloud/templates/docker-compose.yml.j2
+++ b/roles/opencloud/templates/docker-compose.yml.j2
@ -18,7 +18,24 @@ services:
      OC_INSECURE: "true"
      OC_LOG_LEVEL: "{{ opencloud_log_level }}"
      PROXY_TLS: "false"
+{% if opencloud_csp_extra_connect_src | length > 0 %}
+      PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION: "/etc/ocis/csp-override.yaml"
+{% endif %}
      IDM_ADMIN_PASSWORD: "{{ opencloud_admin_password }}"
+{% if opencloud_oidc_issuer %}
+      OC_OIDC_ISSUER: "{{ opencloud_oidc_issuer }}"
+      OC_OIDC_CLIENT_ID: "{{ opencloud_oidc_client_id }}"
+{% if opencloud_oidc_client_secret %}
+      OC_OIDC_CLIENT_SECRET: "{{ opencloud_oidc_client_secret }}"
+{% endif %}
+      PROXY_OIDC_REWRITE_WELLKNOWN: "{{ opencloud_oidc_rewrite_wellknown | string | lower }}"
+      PROXY_USER_OIDC_CLAIM: "{{ opencloud_oidc_user_claim }}"
+      PROXY_USER_CS3_CLAIM: "{{ opencloud_oidc_user_cs3_claim }}"
+      PROXY_AUTOPROVISION_ACCOUNTS: "{{ opencloud_oidc_autoprovision_accounts | string | lower }}"
+{% if opencloud_oidc_account_edit_url %}
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "{{ opencloud_oidc_account_edit_url }}"
+{% endif %}
+{% endif %}
    networks:
      - {{ opencloud_traefik_network }}
 {% if opencloud_extra_hosts is defined and opencloud_extra_hosts | length > 0 %}