Digitalboard/reference-ansible
6
1
Fork 0
Code Pull requests Activity Actions

fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN

Browse source 
Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list
This commit is contained in:
Simon Bärlocher 2026-06-04 11:07:48 +02:00
parent 2ba0c07cd3
commit 2206b809e7
No known key found for this signature in database
GPG key ID: 63DE20495932047A
6 changed files with 59 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

24
inventories/demo-gymburgdorf/host_vars/application/homarr.yml
View file

@ -14,16 +14,32 @@ homarr_admin_email: "admin@gymb.souveredu.ch"
homarr_admin_password: "{{ _homarr.admin_password }}"
# OIDC against Authentik. credentials provider stays enabled as a
# break-glass account.
# break-glass account — reach it via /auth/login/credentials when
# AUTH_OIDC_AUTO_LOGIN bypasses the normal /login page.
#
# Issuer must match the `iss` claim authentik emits, which is always the
# public FQDN (authentik's host-rewrite middleware aligns the claim with
# what browsers see). Homarr (oauth4webapi) does a strict 1:1 comparison
# between the discovery response's issuer and this URL — using the
# internal FQDN here fails with OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED.
# The extra_hosts pin below keeps the actual discovery/token/userinfo
# traffic on the LAN.
homarr_auth_providers: "credentials,oidc"
homarr_oidc_issuer: "https://auth.int.gymb.souveredu.ch/application/o/homarr/"
homarr_oidc_issuer: "https://auth.gymb.souveredu.ch/application/o/homarr/"
homarr_oidc_client_id: "homarr"
homarr_oidc_client_secret: "{{ _homarr.oidc_client_secret }}"
homarr_oidc_client_name: "Authentik"
homarr_oidc_scopes: "openid profile email groups"
homarr_oidc_groups_attribute: "groups"
homarr_oidc_admin_group: "homarr-admins"
homarr_oidc_auto_login: "false"
homarr_oidc_auto_login: "true"
# Pin the public authentik FQDN to the application host so OIDC
# discovery (and downstream token/userinfo) calls from the homarr
# container stay in the LAN. Without this, fetch() to auth.gymb.* would
# hit the public IP and time out in the DMZ (no hairpin-NAT). Same
# pattern as nextcloud_extra_hosts.
homarr_extra_hosts:
- "auth.gymb.souveredu.ch:172.16.19.101"
# Default board with shortcuts to the other gymburgdorf services. Width
# values describe horizontal grid cells (1-10 desktop / 6 tablet / 2