Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/configure-oidc.yml

67 lines
2.2 KiB
YAML
Raw Normal View History

feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
---
- name: Configure OIDC
hosts: test
gather_facts: no
vars:
nextcloud_domain: "nextcloud.test.vrije.cloud"
tasks:
- name: Check if Authentik OIDC credentials are available
stat:
path: /tmp/authentik_oidc_credentials.json
register: oidc_creds_file
- name: Load OIDC credentials from Authentik
slurp:
path: /tmp/authentik_oidc_credentials.json
register: oidc_creds_content
when: oidc_creds_file.stat.exists
- name: Parse OIDC credentials
set_fact:
authentik_oidc: "{{ oidc_creds_content.content | b64decode | from_json }}"
when: oidc_creds_file.stat.exists
- name: Check if user_oidc app is installed
shell: docker exec -u www-data nextcloud php occ app:list --output=json
register: nextcloud_apps
changed_when: false
- name: Parse installed apps
set_fact:
user_oidc_installed: "{{ 'user_oidc' in (nextcloud_apps.stdout | from_json).enabled }}"
- name: Enable user_oidc app
shell: docker exec -u www-data nextcloud php occ app:enable user_oidc
when: not user_oidc_installed
- name: Check if OIDC provider is already configured
shell: docker exec -u www-data nextcloud php occ user_oidc:provider
register: oidc_providers
changed_when: false
failed_when: false
- name: Configure Authentik OIDC provider
shell: |
docker exec -u www-data nextcloud php occ user_oidc:provider \
--clientid="{{ authentik_oidc.client_id }}" \
--clientsecret="{{ authentik_oidc.client_secret }}" \
--discoveryuri="{{ authentik_oidc.discovery_uri }}" \
"Authentik"
when:
- authentik_oidc is defined
- authentik_oidc.success | default(false)
- "'Authentik' not in oidc_providers.stdout"
register: oidc_config
changed_when: oidc_config.rc == 0
- name: Display OIDC status
debug:
msg: |
✓ OIDC SSO fully configured!
Users can login with Authentik credentials at: https://{{ nextcloud_domain }}
"Login with Authentik" button should be visible on the login page.
when:
- authentik_oidc is defined
- authentik_oidc.success | default(false)
Reference in a new issue Copy permalink