From ad1f8a1999b8ebcfb02844d903980c732d7aaa5d Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Thu, 5 Mar 2026 15:36:12 +0100
Subject: [PATCH] feat: add oidc provisioning for opencloud

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
---
 .../vagrant/host_vars/backend/keycloak.yml        | 11 +++++++++++
 .../vagrant/host_vars/backend/opencloud.yml       | 15 +++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 inventories/vagrant/host_vars/backend/opencloud.yml

diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml
index 7b0f5d5..dd14440 100644
--- a/inventories/vagrant/host_vars/backend/keycloak.yml
+++ b/inventories/vagrant/host_vars/backend/keycloak.yml
@@ -52,6 +52,17 @@ keycloak_oidc_clients:
       - openid
       - email
       - profile
+  - client_id: opencloud
+    name: "OpenCloud"
+    client_secret: "opencloud-secret-change-in-production"
+    redirect_uris:
+      - "https://opencloud.local.test/"
+      - "https://opencloud.local.test/oidc-callback.html"
+      - "https://opencloud.local.test/oidc-silent-redirect.html"
+    default_client_scopes:
+      - openid
+      - email
+      - profile
 
 # Identity providers (external login sources)
 # Uncomment and configure for production use with real credentials
diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml
new file mode 100644
index 0000000..286befe
--- /dev/null
+++ b/inventories/vagrant/host_vars/backend/opencloud.yml
@@ -0,0 +1,15 @@
+opencloud_domain: "opencloud.local.test"
+opencloud_admin_password: "admin"
+opencloud_extra_hosts:
+  - "opencloud.local.test:host-gateway"
+  - "keycloak.local.test:host-gateway"
+
+# OIDC configuration (Keycloak)
+opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant"
+opencloud_oidc_client_id: "opencloud"
+opencloud_oidc_client_secret: "opencloud-secret-change-in-production"
+opencloud_oidc_account_edit_url: "https://keycloak.local.test/realms/vagrant/account"
+
+# Allow OpenCloud to connect to Keycloak for OIDC discovery
+opencloud_csp_extra_connect_src:
+  - "https://keycloak.local.test/"
\ No newline at end of file