a5fe631717
## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
66 lines
2.2 KiB
YAML
66 lines
2.2 KiB
YAML
---
|
|
- name: Configure OIDC
|
|
hosts: test
|
|
gather_facts: no
|
|
vars:
|
|
nextcloud_domain: "nextcloud.test.vrije.cloud"
|
|
tasks:
|
|
- name: Check if Authentik OIDC credentials are available
|
|
stat:
|
|
path: /tmp/authentik_oidc_credentials.json
|
|
register: oidc_creds_file
|
|
|
|
- name: Load OIDC credentials from Authentik
|
|
slurp:
|
|
path: /tmp/authentik_oidc_credentials.json
|
|
register: oidc_creds_content
|
|
when: oidc_creds_file.stat.exists
|
|
|
|
- name: Parse OIDC credentials
|
|
set_fact:
|
|
authentik_oidc: "{{ oidc_creds_content.content | b64decode | from_json }}"
|
|
when: oidc_creds_file.stat.exists
|
|
|
|
- name: Check if user_oidc app is installed
|
|
shell: docker exec -u www-data nextcloud php occ app:list --output=json
|
|
register: nextcloud_apps
|
|
changed_when: false
|
|
|
|
- name: Parse installed apps
|
|
set_fact:
|
|
user_oidc_installed: "{{ 'user_oidc' in (nextcloud_apps.stdout | from_json).enabled }}"
|
|
|
|
- name: Enable user_oidc app
|
|
shell: docker exec -u www-data nextcloud php occ app:enable user_oidc
|
|
when: not user_oidc_installed
|
|
|
|
- name: Check if OIDC provider is already configured
|
|
shell: docker exec -u www-data nextcloud php occ user_oidc:provider
|
|
register: oidc_providers
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Configure Authentik OIDC provider
|
|
shell: |
|
|
docker exec -u www-data nextcloud php occ user_oidc:provider \
|
|
--clientid="{{ authentik_oidc.client_id }}" \
|
|
--clientsecret="{{ authentik_oidc.client_secret }}" \
|
|
--discoveryuri="{{ authentik_oidc.discovery_uri }}" \
|
|
"Authentik"
|
|
when:
|
|
- authentik_oidc is defined
|
|
- authentik_oidc.success | default(false)
|
|
- "'Authentik' not in oidc_providers.stdout"
|
|
register: oidc_config
|
|
changed_when: oidc_config.rc == 0
|
|
|
|
- name: Display OIDC status
|
|
debug:
|
|
msg: |
|
|
✓ OIDC SSO fully configured!
|
|
Users can login with Authentik credentials at: https://{{ nextcloud_domain }}
|
|
|
|
"Login with Authentik" button should be visible on the login page.
|
|
when:
|
|
- authentik_oidc is defined
|
|
- authentik_oidc.success | default(false)
|