From 2063268ed6bd52ac8193692da353a10dcf3c6fc7 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Fri, 27 Feb 2026 13:35:37 +0100
Subject: [PATCH] feat: add keycloak oidc provisioning tasks

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
---
 .../vagrant/host_vars/backend/authentik.yml   |  2 +-
 .../vagrant/host_vars/backend/keycloak.yml    | 74 ++++++++++++++++++-
 .../vagrant/host_vars/backend/nextcloud.yml   | 31 +++++++-
 3 files changed, 104 insertions(+), 3 deletions(-)

diff --git a/inventories/vagrant/host_vars/backend/authentik.yml b/inventories/vagrant/host_vars/backend/authentik.yml
index 1a7633f..bff6b13 100644
--- a/inventories/vagrant/host_vars/backend/authentik.yml
+++ b/inventories/vagrant/host_vars/backend/authentik.yml
@@ -31,7 +31,7 @@ authentik_oidc_apps:
     client_id_env: NEXTCLOUD_OIDC_CLIENT_ID
     client_secret_env: NEXTCLOUD_OIDC_CLIENT_SECRET
     redirect_uris:
-      - url: "https://nextcloud.local.test/login/generic_oauth"
+      - url: "https://nextcloud.local.test/apps/user_oidc/code"
         matching_mode: strict
     signing_key_name: "authentik Self-signed Certificate"
     flows:
diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml
index a83f8dc..7b0f5d5 100644
--- a/inventories/vagrant/host_vars/backend/keycloak.yml
+++ b/inventories/vagrant/host_vars/backend/keycloak.yml
@@ -1 +1,73 @@
-keycloak_admin_password: admin
\ No newline at end of file
+# Keycloak configuration for vagrant environment
+keycloak_domain: keycloak.local.test
+keycloak_admin_password: admin
+
+# Enable provisioning via Keycloak Admin API
+keycloak_provisioning_enabled: true
+
+# Realm configuration
+keycloak_realm: "vagrant"
+keycloak_realm_display_name: "Vagrant Test Realm"
+
+# Groups to provision
+keycloak_groups:
+  - name: admins
+  - name: users
+  - name: developers
+
+# Local users to provision
+keycloak_local_users:
+  - username: testadmin
+    first_name: "Test"
+    last_name: "Admin"
+    email: "admin@local.test"
+    password: "admin"
+    groups:
+      - name: admins
+  - username: testuser
+    first_name: "Test"
+    last_name: "User"
+    email: "user@local.test"
+    password: "user"
+    groups:
+      - name: users
+
+# OIDC clients to provision
+keycloak_oidc_clients:
+  - client_id: nextcloud
+    name: "Nextcloud"
+    client_secret: "nextcloud-secret-change-in-production"
+    redirect_uris:
+      - "https://nextcloud.local.test/apps/user_oidc/code"
+    default_client_scopes:
+      - openid
+      - email
+      - profile
+  - client_id: httpbin
+    name: "HTTPBin Test App"
+    client_secret: "httpbin-secret-change-in-production"
+    redirect_uris:
+      - "https://httpbin.local.test/callback"
+    default_client_scopes:
+      - openid
+      - email
+      - profile
+
+# Identity providers (external login sources)
+# Uncomment and configure for production use with real credentials
+# keycloak_identity_providers:
+#   - alias: entra-id
+#     display_name: "Login with Microsoft"
+#     provider_id: oidc
+#     config:
+#       clientId: "your-entra-client-id"
+#       clientSecret: "your-entra-client-secret"
+#       authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
+#       tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
+#       defaultScope: "openid profile email"
+
+# Resources to remove (for cleanup when removing items from above lists)
+keycloak_removed_users: []
+keycloak_removed_groups: []
+keycloak_removed_clients: []
+keycloak_removed_identity_providers: []
\ No newline at end of file
diff --git a/inventories/vagrant/host_vars/backend/nextcloud.yml b/inventories/vagrant/host_vars/backend/nextcloud.yml
index 09f7846..5343040 100644
--- a/inventories/vagrant/host_vars/backend/nextcloud.yml
+++ b/inventories/vagrant/host_vars/backend/nextcloud.yml
@@ -1,4 +1,6 @@
 nextcloud_collabora_disable_cert_verification: true
+nextcloud_allow_local_remote_servers: true  # Allow requests to local network in Vagrant
+nextcloud_oidc_allow_selfsigned: true  # Allow self-signed certs for OIDC in Vagrant
 
 # S3 storage configuration using Garage
 nextcloud_use_s3_storage: true
@@ -12,4 +14,31 @@ nextcloud_s3_usepath_style: true
 
 # Extra hosts for container DNS resolution (Vagrant only)
 nextcloud_extra_hosts:
-  - "storage.local.test:192.168.56.11"
\ No newline at end of file
+  - "storage.local.test:192.168.56.11"
+  - "keycloak.local.test:192.168.56.11"
+  - "authentik.local.test:192.168.56.11"
+
+# OIDC providers for login
+nextcloud_oidc_providers:
+  - identifier: keycloak
+    display_name: "Login with Keycloak"
+    client_id: "nextcloud"
+    client_secret: "nextcloud-secret-change-in-production"
+    discovery_url: "https://keycloak.local.test/realms/vagrant/.well-known/openid-configuration"
+    scope: "openid email profile"
+    unique_uid: true
+    mapping:
+      uid: preferred_username
+      display_name: name
+      email: email
+  - identifier: authentik
+    display_name: "Login with Authentik"
+    client_id: "test1234"
+    client_secret: "test1234"
+    discovery_url: "https://authentik.local.test/application/o/nextcloud/.well-known/openid-configuration"
+    scope: "openid email profile"
+    unique_uid: true
+    mapping:
+      uid: preferred_username
+      display_name: name
+      email: email
\ No newline at end of file