Digitalboard/reference-ansible
6
1
Fork 0
Code Pull requests Activity Actions
reference-ansible/inventories/demo-gymburgdorf/host_vars/application/opnform.yml
Simon Bärlocher 2206b809e7
fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN 
Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list
2026-06-04 11:07:48 +02:00

62 lines
2.9 KiB
YAML
Raw Blame History

---
# Bao secret <mount>/data/opnform expected to contain:
# app_key (must start with "base64:"), jwt_secret, front_api_secret,
# db_password, admin_password, oidc_client_secret
_opnform: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/opnform', url=vault_addr) }}"
_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
opnform_domain: "forms.gymb.souveredu.ch"
opnform_extra_domains:
- "forms.int.gymb.souveredu.ch"
opnform_base_url: "https://forms.gymb.souveredu.ch"
opnform_app_key: "{{ _opnform.app_key }}"
opnform_jwt_secret: "{{ _opnform.jwt_secret }}"
opnform_front_api_secret: "{{ _opnform.front_api_secret }}"
opnform_db_password: "{{ _opnform.db_password }}"
# Bootstrap admin via API on first run so the manual setup page is
# skipped. The admin credentials are also required to seed the OIDC
# IdentityConnection through OpnForm's API (only an authenticated admin
# can create connections).
opnform_admin_name: "OpnForm Admin"
opnform_admin_email: "admin@gymb.souveredu.ch"
opnform_admin_password: "{{ _opnform.admin_password }}"
# OIDC against Authentik. Discovery via the internal FQDN keeps
# server-to-server traffic in the LAN; Authentik's host-rewrite router
# rewrites the Host header to auth.gymb.* before the request reaches
# authentik so the iss claim still matches the public hostname browsers
# see during login.
opnform_oidc_enabled: true
# Issuer must use the public auth.gymb.* FQDN: OpnForm does OIDC
# discovery and then validates the token's `iss` claim against this
# value. Authentik emits the public hostname in `iss` (its host-rewrite
# middleware keeps the claim aligned with what browsers see), so an
# internal-FQDN issuer here would fail iss validation. The extra_hosts
# pin below keeps the actual discovery/token/userinfo traffic on the LAN.
opnform_oidc_issuer: "https://auth.gymb.souveredu.ch/application/o/opnform/"
opnform_oidc_client_id: "opnform"
opnform_oidc_client_secret: "{{ _opnform.oidc_client_secret }}"
opnform_oidc_client_name: "Authentik"
opnform_oidc_slug: "authentik"
opnform_oidc_domain: "gymb.souveredu.ch"
opnform_oidc_admin_group: "opnform-admins"
# Disable password login entirely — every user goes through Authentik.
# All real users have @gymb.souveredu.ch addresses (matching
# opnform_oidc_domain above), so no password fallback is needed.
opnform_oidc_force_login: true
# `/` and `/login` are intercepted and jump straight to Authentik.
# Public form deep-links (`/forms/<slug>`, `/admin/...`) keep working.
# Break-glass: /login?bypass=1 reaches the email form when the IdP is
# down.
opnform_oidc_sso_entrypoint: true
# Pin auth.gymb.* to the application host so server-to-server OIDC
# calls (token, userinfo, jwks — endpoints discovery returns under the
# public hostname even when discovery itself is fetched via auth.int.*)
# stay in the LAN.
opnform_extra_hosts:
- "auth.gymb.souveredu.ch:172.16.19.101"
View git blame Copy permalink