Digitalboard/reference-ansible
6
1
Fork 0
Code Pull requests Activity Actions

fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN

Browse source 
Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list
This commit is contained in:
Simon Bärlocher 2026-06-04 11:07:48 +02:00
parent 2ba0c07cd3
commit 2206b809e7
No known key found for this signature in database
GPG key ID: 63DE20495932047A
6 changed files with 59 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

15
inventories/demo-gymburgdorf/host_vars/application/authentik.yml
View file

@ -21,6 +21,15 @@ authentik_host_rewrite_domains:
authentik_secret_key: "{{ _authentik.secret_key }}"
authentik_postgres_password: "{{ _authentik.postgres_password }}"
# Dedicated FQDN for cross-host ForwardAuth (storage Traefik calling
# /outpost.goauthentik.io/auth/traefik). Routing through the public
# auth.gymb.* FQDN doesn't work — Authentik sees Host: auth.gymb.* and
# routes to ASGI which 404s the outpost path. This FQDN sits outside
# authentik_domains so the same request falls through to the embedded
# outpost handler (which matches the protected app via X-Forwarded-Host).
authentik_outpost_domains:
- "outpost.auth.int.gymb.souveredu.ch"
# LDAP outpost (provider for nextcloud)
authentik_ldap_apps:
- slug: ldap
@ -47,8 +56,14 @@ authentik_proxy_apps:
name: Drawio
external_host: "https://draw.gymb.souveredu.ch"
internal_host: "http://drawio:8080"
# drawio is embedded in Nextcloud as an iframe (nextcloud_enable_drawio).
# Every authenticated Nextcloud user must therefore pass the ForwardAuth
# gate, otherwise the editor loads a 403 inside the iframe. Allow both
# standard groups; tightening this back to admins-only would break the
# Nextcloud integration for regular users.
allowed_groups:
- admins
- users
flows:
authentication_slug: default-authentication-flow
authorization_slug: default-provider-authorization-implicit-consent