Digitalboard/reference-ansible
6
1
Fork 0
Code Pull requests Activity Actions
reference-ansible/inventories/demo-gymburgdorf/host_vars/storage/garage.yml
Simon Bärlocher 2206b809e7
fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN 
Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list
2026-06-04 11:07:48 +02:00

46 lines
2.1 KiB
YAML
Raw Blame History

---
# Bao secret <mount>/data/garage expected to contain:
# rpc_secret, admin_token, metrics_token, webui_password
_garage: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/garage', url=vault_addr) }}"
# First entry is the canonical public S3 FQDN. Additional entries
# cover internal *.int.* names so server-to-server S3 traffic (e.g.
# nextcloud → garage) stays in the LAN.
garage_s3_domains:
- "s3.gymb.souveredu.ch"
- "s3.int.gymb.souveredu.ch"
garage_webui_domain: "console.s3.gymb.souveredu.ch"
garage_use_ssl: true
garage_webui_enabled: true
# Gate the WebUI behind authentik (admins-only, via policy-binding on the
# authentik proxy app). Replaces the htpasswd Basic-Auth — AUTH_USER_PASS
# is dropped from the compose env when this is true. The forwardauth URL
# uses a dedicated outpost-only FQDN that's deliberately outside
# authentik_domains so Authentik routes it to the embedded outpost (not
# ASGI). The public auth.gymb.* FQDN would 404 here — Authentik routes
# any Host matching an auth-domain to ASGI which doesn't serve the outpost
# path. The outpost itself then matches the protected app via
# X-Forwarded-Host (Traefik forwards it via trustForwardHeader=true).
# The FQDN is pinned to the application host via traefik_extra_hosts so
# the request stays in the LAN.
garage_webui_authentik_forward_auth: true
garage_webui_authentik_forward_auth_url: "https://outpost.auth.int.gymb.souveredu.ch/outpost.goauthentik.io/auth/traefik"
# Kept for completeness — only used when authentik ForwardAuth is off.
garage_webui_username: "admin"
garage_webui_password: "{{ _garage.webui_password | default('disabled') }}"
garage_rpc_secret: "{{ _garage.rpc_secret }}"
garage_admin_token: "{{ _garage.admin_token }}"
garage_metrics_token: "{{ _garage.metrics_token }}"
# Initial cluster bootstrap (single-node)
garage_bootstrap_enabled: true
garage_bootstrap_zone: "burgdorf1"
garage_bootstrap_capacity: "100G"
# Buckets and keys consumed by nextcloud
garage_s3_keys:
- name: nextcloud
buckets:
- name: nextcloud
permissions: ["read", "write"]
View git blame Copy permalink