feat(services): refine split-horizon OIDC routing and harden nextcloud patch
- authentik: address the rewrite service by compose service name instead of a network alias on the public FQDN, which shadowed extra_hosts pins and broke OIDC discovery for c-ares-based (Node) resolvers - homarr: add homarr_extra_hosts to pin the IdP FQDN to a LAN IP so OIDC discovery stays in-network while the issuer matches the browser-facing URL - opnform: add opnform_oidc_sso_redirect_root to 302 the root URL to the SSO path (deep-links untouched, /login?bypass=1 break-glass); restart ingress via container restart so envsubst re-renders nginx.conf - nextcloud: make the UserConfig sed workaround fail loud on upstream drift instead of silently skipping (nextcloud/server#59629) - gitignore: exclude the local .ansible/ collection cache
This commit is contained in:
Simon Bärlocher
parent
3236ca332f
commit
3ace667b6c
12 changed files with 264 additions and 49 deletions
|
|
@ -130,6 +130,13 @@ opnform_oidc_group_role_mappings: []
|
|||
opnform_oidc_sso_entrypoint: false
|
||||
opnform_oidc_sso_path: "/sso"
|
||||
|
||||
# When true, the ingress 302-redirects the root URL (exact-match on `/`)
|
||||
# to opnform_oidc_sso_path so visiting https://<domain>/ jumps straight
|
||||
# to the IdP login without showing OpnForm's email form. Public form
|
||||
# deep-links (`/forms/<slug>`, `/login`, etc.) are untouched.
|
||||
# Requires opnform_oidc_sso_entrypoint=true.
|
||||
opnform_oidc_sso_redirect_root: false
|
||||
|
||||
# Traefik configuration
|
||||
opnform_traefik_network: "proxy"
|
||||
opnform_use_ssl: true
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue