Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/nextcloud/tasks/oidc.yml
Pieter a5fe631717 feat: Complete Authentik SSO integration with automated OIDC setup 
## Changes

### Identity Provider (Authentik)
-  Deployed Authentik 2025.10.3 as identity provider
-  Configured automatic bootstrap with admin account (akadmin)
-  Fixed OIDC provider creation with correct redirect_uris format
-  Added automated OAuth2/OIDC provider configuration for Nextcloud
-  API-driven provider setup eliminates manual configuration

### Nextcloud Configuration
-  Fixed reverse proxy header configuration (trusted_proxies)
-  Added missing database indices (fs_storage_path_prefix)
-  Ran mimetype migrations for proper file type handling
-  Verified PHP upload limits (16GB upload_max_filesize)
-  Configured OIDC integration with Authentik
-  "Login with Authentik" button auto-configured

### Automation Scripts
-  Added deploy-client.sh for automated client deployment
-  Added rebuild-client.sh for infrastructure rebuild
-  Added destroy-client.sh for cleanup
-  Full deployment now takes ~10-15 minutes end-to-end

### Documentation
-  Updated README with automated deployment instructions
-  Added SSO automation workflow documentation
-  Added automation status tracking
-  Updated project reference with Authentik details

### Technical Fixes
- Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode)
- Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add)
- Fixed file lookup in Ansible (changed to slurp for remote files)
- Updated Traefik to v3.6 for Docker API 1.44 compatibility
- Improved error handling in app installation tasks

## Security
- All credentials stored in SOPS-encrypted secrets
- Trusted proxy configuration prevents IP spoofing
- Bootstrap tokens auto-generated and secured

## Result
Fully automated SSO deployment - no manual configuration required!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00

79 lines
2.5 KiB
YAML
Raw Blame History

---
# OIDC/SSO integration tasks for Nextcloud with Authentik
- name: Check if user_oidc app is installed
shell: docker exec -u www-data nextcloud php occ app:list --output=json
register: nextcloud_apps
changed_when: false
- name: Parse installed apps
set_fact:
user_oidc_installed: "{{ 'user_oidc' in (nextcloud_apps.stdout | from_json).enabled }}"
- name: Install user_oidc app
shell: docker exec -u www-data nextcloud php occ app:install user_oidc
when: not user_oidc_installed
register: oidc_install
changed_when: "'installed' in oidc_install.stdout"
- name: Enable user_oidc app
shell: docker exec -u www-data nextcloud php occ app:enable user_oidc
when: not user_oidc_installed
- name: Check if Authentik OIDC credentials are available
stat:
path: /tmp/authentik_oidc_credentials.json
register: oidc_creds_file
- name: Load OIDC credentials from Authentik
slurp:
path: /tmp/authentik_oidc_credentials.json
register: oidc_creds_content
when: oidc_creds_file.stat.exists
- name: Parse OIDC credentials
set_fact:
authentik_oidc: "{{ oidc_creds_content.content | b64decode | from_json }}"
when: oidc_creds_file.stat.exists
- name: Check if OIDC provider is already configured
shell: docker exec -u www-data nextcloud php occ user_oidc:provider
register: oidc_providers
changed_when: false
failed_when: false
- name: Configure Authentik OIDC provider
shell: |
docker exec -u www-data nextcloud php occ user_oidc:provider \
--clientid="{{ authentik_oidc.client_id }}" \
--clientsecret="{{ authentik_oidc.client_secret }}" \
--discoveryuri="{{ authentik_oidc.discovery_uri }}" \
"Authentik"
when:
- authentik_oidc is defined
- authentik_oidc.success | default(false)
- "'Authentik' not in oidc_providers.stdout"
register: oidc_config
changed_when: oidc_config.rc == 0
- name: Cleanup OIDC credentials file
file:
path: /tmp/authentik_oidc_credentials.json
state: absent
when: oidc_creds_file.stat.exists
- name: Display OIDC status
debug:
msg: |
{% if authentik_oidc is defined and authentik_oidc.success | default(false) %}
✓ OIDC SSO fully configured!
Users can login with Authentik credentials at: https://{{ nextcloud_domain }}
"Login with Authentik" button should be visible on the login page.
{% else %}
⚠ OIDC app installed but not yet configured.
To complete setup:
1. Ensure Authentik API token is in secrets (authentik_api_token)
2. Re-run deployment with: --tags authentik,oidc
{% endif %}
Reference in a new issue View git blame Copy permalink