feat: add keycloak oidc provisioning tasks

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>

inventories/vagrant/host_vars/backend/authentik.yml

@@ -31,7 +31,7 @@ authentik_oidc_apps:
     client_id_env: NEXTCLOUD_OIDC_CLIENT_ID
     client_secret_env: NEXTCLOUD_OIDC_CLIENT_SECRET
     redirect_uris:
-      - url: "https://nextcloud.local.test/login/generic_oauth"
+      - url: "https://nextcloud.local.test/apps/user_oidc/code"
         matching_mode: strict
     signing_key_name: "authentik Self-signed Certificate"
     flows:

inventories/vagrant/host_vars/backend/keycloak.yml

@@ -1 +1,73 @@
+# Keycloak configuration for vagrant environment
+keycloak_domain: keycloak.local.test
 keycloak_admin_password: admin
+
+# Enable provisioning via Keycloak Admin API
+keycloak_provisioning_enabled: true
+
+# Realm configuration
+keycloak_realm: "vagrant"
+keycloak_realm_display_name: "Vagrant Test Realm"
+
+# Groups to provision
+keycloak_groups:
+  - name: admins
+  - name: users
+  - name: developers
+
+# Local users to provision
+keycloak_local_users:
+  - username: testadmin
+    first_name: "Test"
+    last_name: "Admin"
+    email: "admin@local.test"
+    password: "admin"
+    groups:
+      - name: admins
+  - username: testuser
+    first_name: "Test"
+    last_name: "User"
+    email: "user@local.test"
+    password: "user"
+    groups:
+      - name: users
+
+# OIDC clients to provision
+keycloak_oidc_clients:
+  - client_id: nextcloud
+    name: "Nextcloud"
+    client_secret: "nextcloud-secret-change-in-production"
+    redirect_uris:
+      - "https://nextcloud.local.test/apps/user_oidc/code"
+    default_client_scopes:
+      - openid
+      - email
+      - profile
+  - client_id: httpbin
+    name: "HTTPBin Test App"
+    client_secret: "httpbin-secret-change-in-production"
+    redirect_uris:
+      - "https://httpbin.local.test/callback"
+    default_client_scopes:
+      - openid
+      - email
+      - profile
+
+# Identity providers (external login sources)
+# Uncomment and configure for production use with real credentials
+# keycloak_identity_providers:
+#   - alias: entra-id
+#     display_name: "Login with Microsoft"
+#     provider_id: oidc
+#     config:
+#       clientId: "your-entra-client-id"
+#       clientSecret: "your-entra-client-secret"
+#       authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
+#       tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
+#       defaultScope: "openid profile email"
+
+# Resources to remove (for cleanup when removing items from above lists)
+keycloak_removed_users: []
+keycloak_removed_groups: []
+keycloak_removed_clients: []
+keycloak_removed_identity_providers: []

inventories/vagrant/host_vars/backend/nextcloud.yml

@@ -1,4 +1,6 @@
 nextcloud_collabora_disable_cert_verification: true
+nextcloud_allow_local_remote_servers: true  # Allow requests to local network in Vagrant
+nextcloud_oidc_allow_selfsigned: true  # Allow self-signed certs for OIDC in Vagrant
 
 # S3 storage configuration using Garage
 nextcloud_use_s3_storage: true
@@ -13,3 +15,30 @@ nextcloud_s3_usepath_style: true
 # Extra hosts for container DNS resolution (Vagrant only)
 nextcloud_extra_hosts:
   - "storage.local.test:192.168.56.11"
+  - "keycloak.local.test:192.168.56.11"
+  - "authentik.local.test:192.168.56.11"
+
+# OIDC providers for login
+nextcloud_oidc_providers:
+  - identifier: keycloak
+    display_name: "Login with Keycloak"
+    client_id: "nextcloud"
+    client_secret: "nextcloud-secret-change-in-production"
+    discovery_url: "https://keycloak.local.test/realms/vagrant/.well-known/openid-configuration"
+    scope: "openid email profile"
+    unique_uid: true
+    mapping:
+      uid: preferred_username
+      display_name: name
+      email: email
+  - identifier: authentik
+    display_name: "Login with Authentik"
+    client_id: "test1234"
+    client_secret: "test1234"
+    discovery_url: "https://authentik.local.test/application/o/nextcloud/.well-known/openid-configuration"
+    scope: "openid email profile"
+    unique_uid: true
+    mapping:
+      uid: preferred_username
+      display_name: name
+      email: email