playbook.yml

@@ -3,3 +3,4 @@
   roles:
     - nginx
     - jellyfin
+    - oauth2proxy

roles/oauth2proxy/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: ensure directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ data_folder }}/oauth2-proxy"
+- name: copy oauth2-proxy config
+  template:
+    src: oauth2-proxy.cfg
+    dest: "{{ data_folder }}/oauth2-proxy/oauth2-proxy.cfg"
+    mode: '0755'
+- name: run container
+  docker_container:
+    name: 'oauth2-proxy'
+    image: quay.io/oauth2-proxy/oauth2-proxy
+    networks:
+      - name: bridge
+      - name: nginx-internal
+    command: '/bin/oauth2-proxy --config=/etc/oauth2-proxy.cfg'
+    volumes:
+      - "{{ data_folder }}/oauth2-proxy/oauth2-proxy.cfg:/etc/oauth2-proxy.cfg"
+    ports:
+      - "4180:4180"
+    state: started
+    restart: yes
+- name: copy oauth2-proxy nginx config
+  template:
+    src: oauth2-proxy.conf.j2
+    dest: "{{ nginx_confd_folder }}/oauth2-proxy.conf"
+    mode: '0755'
+  notify: reload nginx

roles/oauth2proxy/templates/oauth2-proxy.cfg

@@ -0,0 +1,16 @@
+provider = "github"
+redirect_url = "https://auth.dev.local/oauth2/callback"
+provider_display_name = "Gitea"
+client_id = "8a433bb1-4da1-4948-a0f2-57a85e3b2cc5"
+client_secret = "xMESmq2UwOsMKR8hei60XrU4s7nen3KL8ymVELivcb8="
+login_url = "https://git.kucharczyk.xyz/login/oauth/authorize"
+redeem_url = "https://git.kucharczyk.xyz/login/oauth/access_token"
+validate_url = "https://git.kucharczyk.xyz/api/v1"
+
+email_domains = [
+    "dev.local"
+]
+
+cookie_secret = "lVyySw_e0gb30CRU9nwGOA=="
+reverse_proxy = "true"
+http_address = "http://0.0.0.0:4180"

roles/oauth2proxy/templates/oauth2-proxy.conf.j2

@@ -0,0 +1,16 @@
+server {
+    listen 443 default ssl;
+    server_name "auth.{{ base_domain }}";
+    add_header Strict-Transport-Security max-age=2592000;
+    set $oauth2proxy oauth2-proxy;
+
+    location / {
+        proxy_pass http://$oauth2proxy:4180;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Scheme $scheme;
+        proxy_connect_timeout 1;
+        proxy_send_timeout 30;
+        proxy_read_timeout 30;
+    }
+}