606 lines
25 KiB
Markdown
606 lines
25 KiB
Markdown
|
|
# TLS + OAuth2 SSO for dev-02
|
||
|
|
|
||
|
|
## Goal
|
||
|
|
|
||
|
|
Add HTTPS, TLS termination, and OAuth2/OIDC SSO to dev-02 services (code-server + opencode),
|
||
|
|
exposed directly on the internal network for VPN/office access.
|
||
|
|
|
||
|
|
## Architecture
|
||
|
|
|
||
|
|
```
|
||
|
|
┌──────────────────────────────────────────┐
|
||
|
|
│ dev-02.lab.alexpires.me │
|
||
|
|
│ (Fedora bare metal) │
|
||
|
|
│ │
|
||
|
|
│ ┌──────┐ auth_request ┌───────────┐ │
|
||
|
|
│ │nginx │─────────────────►│oauth2- │ │
|
||
|
|
│ │:443 │◄──────────────────│proxy:4180 │ │
|
||
|
|
│ │TLS │ │(session) │ │
|
||
|
|
│ │SSO │ │ │ │
|
||
|
|
│ └──┬───┘ └─────┬─────┘ │
|
||
|
|
│ │ proxy_pass (trusts auth) │ │
|
||
|
|
│ │ │OIDC │
|
||
|
|
│ ┌──▼──────┐ ┌──────▼────┐ │
|
||
|
|
│ │ide:3000 │ │Gitea IdP │ │
|
||
|
|
│ │(127.0.0.1) │code. │ │
|
||
|
|
│ │code- │ │alexpires. │ │
|
||
|
|
│ │server │ │me (pub) │ │
|
||
|
|
│ └────────┘ └───────────┘ │
|
||
|
|
│ ┌────────┐ │
|
||
|
|
│ │agent:4096│ │
|
||
|
|
│ │(127.0.0.1) │
|
||
|
|
│ │opencode │ │
|
||
|
|
│ └────────┘ │
|
||
|
|
└──────────────────────────────────────────┘
|
||
|
|
│ │
|
||
|
|
HTTPS 443 │ │ OIDC
|
||
|
|
(internal) │ │
|
||
|
|
▼ ▼
|
||
|
|
┌──────────────────────────────────────────┐
|
||
|
|
│ Browser (VPN/office) │ code.alexpires.me (public)
|
||
|
|
│ ide.lab.alexpires.me:443 ──────────► Gitea IdP
|
||
|
|
│ agent.lab.alexpires.me:443 ──────────►
|
||
|
|
└──────────────────────────────────────────┘
|
||
|
|
```
|
||
|
|
|
||
|
|
## SSO Flow
|
||
|
|
|
||
|
|
1. User visits `https://ide.lab.alexpires.me:443` (direct, requires VPN/office)
|
||
|
|
2. nginx detects no valid session cookie → `auth_request` to oauth2-proxy
|
||
|
|
3. oauth2-proxy returns 401 → nginx redirects browser to Gitea login
|
||
|
|
4. Browser → `code.alexpires.me` (Gitea, public, always reachable)
|
||
|
|
5. User logs in → Gitea redirects back to `https://ide.lab.alexpires.me/oauth2/callback`
|
||
|
|
6. oauth2-proxy exchanges code → access_token → creates session cookie
|
||
|
|
7. Cookie scoped to `*.lab.alexpires.me` → SSO across lab subdomains
|
||
|
|
8. Subsequent requests: nginx trusts cookie → proxies to backend (no re-login)
|
||
|
|
|
||
|
|
**Access constraint:** SSO only works when the user can reach `lab.alexpires.me` (VPN or office network).
|
||
|
|
This is inherent to the architecture — the OAuth2 callback URL (`ide.lab.alexpires.me/oauth2/callback`)
|
||
|
|
must be reachable by the browser after Gitea redirects back. All `lab.alexpires.me` services
|
||
|
|
follow this same constraint.
|
||
|
|
|
||
|
|
## Certificate Strategy
|
||
|
|
|
||
|
|
- **SAN cert** for `ide.lab.alexpires.me` and `agent.lab.alexpires.me`
|
||
|
|
- Obtained via certbot DNS-01 challenge (cloudns plugin)
|
||
|
|
- Auto-renewal via cron with `--deploy-hook "systemctl reload nginx"`
|
||
|
|
- No port 80/443 exposure needed (DNS-01 challenge doesn't need HTTP)
|
||
|
|
- Certbot stores certs in `/etc/letsencrypt/live/` (symlinked from `/etc/letsencrypt/archive/`)
|
||
|
|
- nginx references:
|
||
|
|
- `ssl_certificate /etc/letsencrypt/live/ide.lab.alexpires.me/fullchain.pem;`
|
||
|
|
- `ssl_certificate_key /etc/letsencrypt/live/ide.lab.alexpires.me/privkey.pem;`
|
||
|
|
|
||
|
|
## Service Binding
|
||
|
|
|
||
|
|
| Service | Before | After |
|
||
|
|
|---------|--------|-------|
|
||
|
|
| code-server | `0.0.0.0:3000` | `127.0.0.1:3000` |
|
||
|
|
| opencode | `0.0.0.0:4096` | `127.0.0.1:4096` |
|
||
|
|
| oauth2-proxy | N/A | `127.0.0.1:4180` |
|
||
|
|
| nginx | N/A | `0.0.0.0:443` (only public port) |
|
||
|
|
|
||
|
|
## Pre-requisites
|
||
|
|
|
||
|
|
Before applying, register an OAuth2 app in Gitea:
|
||
|
|
- **Name:** `lab-services`
|
||
|
|
- **Redirect URI:** `https://ide.lab.alexpires.me/oauth2/callback`
|
||
|
|
- **Scopes:** `openid`, `profile`, `email`
|
||
|
|
- **Result:** `client_id` + `client_secret` → stored in `sectool` / env vars
|
||
|
|
|
||
|
|
Generate a cookie secret:
|
||
|
|
```sh
|
||
|
|
openssl rand -base64 32
|
||
|
|
```
|
||
|
|
Store via `sectool` as `OAUTH2_PROXY_COOKIE_SECRET`, `OAUTH2_PROXY_CLIENT_ID`, `OAUTH2_PROXY_CLIENT_SECRET`.
|
||
|
|
|
||
|
|
## Changes Required
|
||
|
|
|
||
|
|
### 1. New Role: `nginx_proxy`
|
||
|
|
|
||
|
|
```
|
||
|
|
ansible/roles/nginx_proxy/
|
||
|
|
├── defaults/main.yml # certbot, nginx, oauth2 config, upstreams
|
||
|
|
├── tasks/
|
||
|
|
│ ├── main.yml # Entry point (includes certbot, nginx, oauth2_proxy)
|
||
|
|
│ ├── certbot.yml # Install certbot, DNS credentials, obtain cert, cron renewal
|
||
|
|
│ ├── nginx.yml # Install nginx, deploy config, systemd, SELinux context
|
||
|
|
│ └── oauth2_proxy.yml # Download binary, config, systemd
|
||
|
|
├── templates/
|
||
|
|
│ ├── nginx.conf.j2 # Main nginx config (worker processes, logging, etc.)
|
||
|
|
│ ├── nginx-server.conf.j2 # Server blocks (SAN domains, TLS, auth_request, proxy)
|
||
|
|
│ └── oauth2-proxy.cfg.j2 # OAuth2/OIDC config for Gitea
|
||
|
|
└── files/
|
||
|
|
└── .gitkeep
|
||
|
|
```
|
||
|
|
|
||
|
|
#### `defaults/main.yml`
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
nginx_proxy_certbot_enabled: true
|
||
|
|
nginx_proxy_certbot_email: "c.alexandre.pires@alexpires.me"
|
||
|
|
nginx_proxy_certbot_domains:
|
||
|
|
- "ide.lab.alexpires.me"
|
||
|
|
- "agent.lab.alexpires.me"
|
||
|
|
nginx_proxy_certbot_cron_minute: "0"
|
||
|
|
nginx_proxy_certbot_cron_hour: "3"
|
||
|
|
nginx_proxy_certbot_credential_file: "/etc/letsencrypt/cloudns.ini"
|
||
|
|
nginx_proxy_certbot_credential_mode: "0600"
|
||
|
|
nginx_proxy_certbot_nginx_reload: true
|
||
|
|
|
||
|
|
nginx_proxy_nginx_enabled: true
|
||
|
|
nginx_proxy_nginx_bind: "0.0.0.0"
|
||
|
|
nginx_proxy_nginx_port: 443
|
||
|
|
nginx_proxy_nginx_worker_connections: 1024
|
||
|
|
nginx_proxy_nginx_log_format: "main"
|
||
|
|
nginx_proxy_nginx_access_log: "/var/log/nginx/access.log"
|
||
|
|
nginx_proxy_nginx_error_log: "/var/log/nginx/error.log warn"
|
||
|
|
nginx_proxy_nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
|
||
|
|
nginx_proxy_nginx_ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
|
||
|
|
nginx_proxy_nginx_ssl_prefer_server_ciphers: "on"
|
||
|
|
nginx_proxy_nginx_hsts_max_age: "31536000"
|
||
|
|
nginx_proxy_nginx_hsts_include_subdomains: true
|
||
|
|
|
||
|
|
nginx_proxy_oauth2_proxy_enabled: true
|
||
|
|
nginx_proxy_oauth2_proxy_bind: "127.0.0.1"
|
||
|
|
nginx_proxy_oauth2_proxy_port: 4180
|
||
|
|
nginx_proxy_oauth2_proxy_version: "2.13.0"
|
||
|
|
nginx_proxy_oauth2_proxy_cookie_domain: ".lab.alexpires.me"
|
||
|
|
nginx_proxy_oauth2_proxy_cookie_name: "_alexpires_oauth2_proxy"
|
||
|
|
nginx_proxy_oauth2_proxy_cookie_secret: "{{ lookup('env', 'OAUTH2_PROXY_COOKIE_SECRET', default='') }}"
|
||
|
|
nginx_proxy_oauth2_proxy_client_id: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_ID', default='') }}"
|
||
|
|
nginx_proxy_oauth2_proxy_client_secret: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_SECRET', default='') }}"
|
||
|
|
nginx_proxy_oauth2_proxy_redirect_url: "https://ide.lab.alexpires.me/oauth2/callback"
|
||
|
|
nginx_proxy_oauth2_proxy_provider: "gitea"
|
||
|
|
nginx_proxy_oauth2_proxy_provider_url: "https://code.alexpires.me"
|
||
|
|
nginx_proxy_oauth2_proxy_scopes: "openid profile email"
|
||
|
|
nginx_proxy_oauth2_proxy_email_domains: []
|
||
|
|
nginx_proxy_oauth2_proxy_upstream: "static://200"
|
||
|
|
nginx_proxy_oauth2_proxy_skip_jwt: false
|
||
|
|
nginx_proxy_oauth2_proxy_set_basic_auth: false
|
||
|
|
nginx_proxy_oauth2_proxy_set_xauthrequest: true
|
||
|
|
nginx_proxy_oauth2_proxy_ssl_insecure_skip_verify: false
|
||
|
|
nginx_proxy_oauth2_proxy_login_button: "Sign in with Gitea"
|
||
|
|
nginx_proxy_oauth2_proxy_proxy_prefix: "/oauth2"
|
||
|
|
nginx_proxy_oauth2_proxy_silent_login: false
|
||
|
|
nginx_proxy_oauth2_proxy_skip_provider_whoami: false
|
||
|
|
nginx_proxy_oauth2_proxy_cookie_refresh: "0s"
|
||
|
|
nginx_proxy_oauth2_proxy_cookie_expire: "168h"
|
||
|
|
nginx_proxy_oauth2_proxy_session_storage_type: "memory"
|
||
|
|
nginx_proxy_oauth2_proxy_request_logging: true
|
||
|
|
nginx_proxy_oauth2_proxy_log_file: "/var/log/oauth2-proxy.log"
|
||
|
|
nginx_proxy_oauth2_proxy_log_level: "info"
|
||
|
|
|
||
|
|
nginx_proxy_upstreams:
|
||
|
|
ide:
|
||
|
|
host: "127.0.0.1"
|
||
|
|
port: 3000
|
||
|
|
agent:
|
||
|
|
host: "127.0.0.1"
|
||
|
|
port: 4096
|
||
|
|
|
||
|
|
nginx_proxy_cloudns_auth_id: "{{ lookup('env', 'CLOUDNS_AUTH_ID') }}"
|
||
|
|
nginx_proxy_cloudns_auth_password: "{{ lookup('env', 'CLOUDNS_PASSWORD') }}"
|
||
|
|
nginx_proxy_cloudns_nameserver: "109.201.133.111"
|
||
|
|
```
|
||
|
|
|
||
|
|
#### `tasks/certbot.yml`
|
||
|
|
|
||
|
|
- Install certbot + certbot-dns-cloudns via pip
|
||
|
|
- Create CloudDNS credentials file at `/etc/letsencrypt/cloudns.ini`:
|
||
|
|
```ini
|
||
|
|
dns_cloudns_auth_id = {{ nginx_proxy_cloudns_auth_id }}
|
||
|
|
dns_cloudns_auth_password = {{ nginx_proxy_cloudns_auth_password }}
|
||
|
|
```
|
||
|
|
- Permissions: `0600`, owner: `root:root`
|
||
|
|
- Obtain SAN cert:
|
||
|
|
```sh
|
||
|
|
certbot certonly --dns-cloudns \
|
||
|
|
-d ide.lab.alexpires.me \
|
||
|
|
-d agent.lab.alexpires.me \
|
||
|
|
--non-interactive \
|
||
|
|
--agree-tos \
|
||
|
|
-m {{ nginx_proxy_certbot_email }}
|
||
|
|
```
|
||
|
|
- Create cron job for renewal (daily at 3:00 AM):
|
||
|
|
```sh
|
||
|
|
certbot renew --deploy-hook "systemctl reload nginx"
|
||
|
|
```
|
||
|
|
- Certs stored in `/etc/letsencrypt/live/ide.lab.alexpires.me/`
|
||
|
|
|
||
|
|
#### `tasks/nginx.yml`
|
||
|
|
|
||
|
|
- Install nginx package
|
||
|
|
- Render `nginx.conf` (global):
|
||
|
|
```nginx
|
||
|
|
user nginx;
|
||
|
|
worker_processes auto;
|
||
|
|
error_log {{ nginx_proxy_nginx_error_log }};
|
||
|
|
pid /run/nginx.pid;
|
||
|
|
|
||
|
|
events {
|
||
|
|
worker_connections {{ nginx_proxy_nginx_worker_connections }};
|
||
|
|
}
|
||
|
|
|
||
|
|
http {
|
||
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||
|
|
'$status $body_bytes_sent "$http_referer" '
|
||
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||
|
|
|
||
|
|
access_log {{ nginx_proxy_nginx_access_log }} main;
|
||
|
|
|
||
|
|
sendfile on;
|
||
|
|
tcp_nopush on;
|
||
|
|
tcp_nodelay on;
|
||
|
|
keepalive_timeout 65;
|
||
|
|
types_hash_max_size 2048;
|
||
|
|
|
||
|
|
include /etc/nginx/mime.types;
|
||
|
|
default_type application/octet-stream;
|
||
|
|
|
||
|
|
# WebSocket upgrade mapping
|
||
|
|
map $http_upgrade $connection_upgrade {
|
||
|
|
default upgrade;
|
||
|
|
'' close;
|
||
|
|
}
|
||
|
|
|
||
|
|
include /etc/nginx/conf.d/*.conf;
|
||
|
|
}
|
||
|
|
```
|
||
|
|
- Render `nginx-server.conf` (server blocks):
|
||
|
|
```nginx
|
||
|
|
# IDE (code-server)
|
||
|
|
server {
|
||
|
|
listen 443 ssl http2;
|
||
|
|
server_name ide.lab.alexpires.me;
|
||
|
|
|
||
|
|
ssl_certificate /etc/letsencrypt/live/ide.lab.alexpires.me/fullchain.pem;
|
||
|
|
ssl_certificate_key /etc/letsencrypt/live/ide.lab.alexpires.me/privkey.pem;
|
||
|
|
ssl_protocols {{ nginx_proxy_nginx_ssl_protocols }};
|
||
|
|
ssl_ciphers {{ nginx_proxy_nginx_ssl_ciphers }};
|
||
|
|
ssl_prefer_server_ciphers {{ nginx_proxy_nginx_ssl_prefer_server_ciphers }};
|
||
|
|
|
||
|
|
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains ? 'includeSubDomains' : '' }}" always;
|
||
|
|
|
||
|
|
# OAuth2 auth_request
|
||
|
|
location = /oauth2/ {
|
||
|
|
proxy_pass http://127.0.0.1:{{ nginx_proxy_oauth2_proxy_port }};
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Scheme $scheme;
|
||
|
|
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||
|
|
}
|
||
|
|
|
||
|
|
location = /oauth2/callback {
|
||
|
|
proxy_pass http://127.0.0.1:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/callback;
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Scheme $scheme;
|
||
|
|
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||
|
|
}
|
||
|
|
|
||
|
|
location /oauth2/ {
|
||
|
|
proxy_pass http://127.0.0.1:{{ nginx_proxy_oauth2_proxy_port }};
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Scheme $scheme;
|
||
|
|
}
|
||
|
|
|
||
|
|
location / {
|
||
|
|
auth_request /oauth2/;
|
||
|
|
auth_request_set $auth_status $upstream_status;
|
||
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||
|
|
|
||
|
|
add_header Set-Cookie $auth_cookie;
|
||
|
|
|
||
|
|
proxy_pass http://127.0.0.1:{{ nginx_proxy_upstreams.ide.port }};
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||
|
|
proxy_set_header X-Forwarded-Host $host;
|
||
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
||
|
|
|
||
|
|
# WebSocket support
|
||
|
|
proxy_http_version 1.1;
|
||
|
|
proxy_set_header Upgrade $http_upgrade;
|
||
|
|
proxy_set_header Connection $connection_upgrade;
|
||
|
|
|
||
|
|
# Timeouts for code-server
|
||
|
|
proxy_read_timeout 3600s;
|
||
|
|
proxy_send_timeout 3600s;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
# Agent (opencode)
|
||
|
|
server {
|
||
|
|
listen 443 ssl http2;
|
||
|
|
server_name agent.lab.alexpires.me;
|
||
|
|
|
||
|
|
ssl_certificate /etc/letsencrypt/live/ide.lab.alexpires.me/fullchain.pem;
|
||
|
|
ssl_certificate_key /etc/letsencrypt/live/ide.lab.alexpires.me/privkey.pem;
|
||
|
|
ssl_protocols {{ nginx_proxy_nginx_ssl_protocols }};
|
||
|
|
ssl_ciphers {{ nginx_proxy_nginx_ssl_ciphers }};
|
||
|
|
ssl_prefer_server_ciphers {{ nginx_proxy_nginx_ssl_prefer_server_ciphers }};
|
||
|
|
|
||
|
|
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains ? 'includeSubDomains' : '' }}" always;
|
||
|
|
|
||
|
|
# OAuth2 auth_request
|
||
|
|
location = /oauth2/ {
|
||
|
|
proxy_pass http://127.0.0.1:{{ nginx_proxy_oauth2_proxy_port }};
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Scheme $scheme;
|
||
|
|
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||
|
|
}
|
||
|
|
|
||
|
|
location = /oauth2/callback {
|
||
|
|
proxy_pass http://127.0.0.1:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/callback;
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Scheme $scheme;
|
||
|
|
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||
|
|
}
|
||
|
|
|
||
|
|
location /oauth2/ {
|
||
|
|
proxy_pass http://127.0.0.1:{{ nginx_proxy_oauth2_proxy_port }};
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Scheme $scheme;
|
||
|
|
}
|
||
|
|
|
||
|
|
location / {
|
||
|
|
auth_request /oauth2/;
|
||
|
|
auth_request_set $auth_status $upstream_status;
|
||
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||
|
|
|
||
|
|
add_header Set-Cookie $auth_cookie;
|
||
|
|
|
||
|
|
proxy_pass http://127.0.0.1:{{ nginx_proxy_upstreams.agent.port }};
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||
|
|
proxy_set_header X-Forwarded-Host $host;
|
||
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
||
|
|
|
||
|
|
# WebSocket support
|
||
|
|
proxy_http_version 1.1;
|
||
|
|
proxy_set_header Upgrade $http_upgrade;
|
||
|
|
proxy_set_header Connection "upgrade";
|
||
|
|
|
||
|
|
# Timeouts for opencode
|
||
|
|
proxy_read_timeout 3600s;
|
||
|
|
proxy_send_timeout 3600s;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
```
|
||
|
|
- Enable + start nginx service
|
||
|
|
- Set SELinux context: `semanage fcontext -a -t httpd_cert_t "/etc/letsencrypt(/.*)?"` + `restorecon -Rv /etc/letsencrypt`
|
||
|
|
|
||
|
|
#### `tasks/oauth2_proxy.yml`
|
||
|
|
|
||
|
|
- Download latest release from GitHub (Go binary for linux/amd64):
|
||
|
|
```sh
|
||
|
|
wget -qO /tmp/oauth2-proxy.tar.gz "https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v{{ nginx_proxy_oauth2_proxy_version }}/oauth2-proxy-v{{ nginx_proxy_oauth2_proxy_version }}.linux-amd64.tar.gz"
|
||
|
|
tar xzf /tmp/oauth2-proxy.tar.gz -C /tmp/
|
||
|
|
mv /tmp/oauth2-proxy-v{{ nginx_proxy_oauth2_proxy_version }}.linux-amd64/oauth2-proxy /usr/local/bin/
|
||
|
|
```
|
||
|
|
- Render config file at `/etc/oauth2-proxy/oauth2-proxy.cfg`:
|
||
|
|
```ini
|
||
|
|
provider = "{{ nginx_proxy_oauth2_proxy_provider }}"
|
||
|
|
provider_url = "{{ nginx_proxy_oauth2_proxy_provider_url }}"
|
||
|
|
client_id = "{{ nginx_proxy_oauth2_proxy_client_id }}"
|
||
|
|
client_secret = "{{ nginx_proxy_oauth2_proxy_client_secret }}"
|
||
|
|
cookie_domain = "{{ nginx_proxy_oauth2_proxy_cookie_domain }}"
|
||
|
|
cookie_name = "{{ nginx_proxy_oauth2_proxy_cookie_name }}"
|
||
|
|
cookie_secret = "{{ nginx_proxy_oauth2_proxy_cookie_secret }}"
|
||
|
|
cookie_expire = "{{ nginx_proxy_oauth2_proxy_cookie_expire | default('168h') }}"
|
||
|
|
cookie_refresh = "{{ nginx_proxy_oauth2_proxy_cookie_refresh | default('0s') }}"
|
||
|
|
redirect_url = "{{ nginx_proxy_oauth2_proxy_redirect_url }}"
|
||
|
|
login_url = "{{ nginx_proxy_oauth2_proxy_provider_url }}/login/oauth/authorize"
|
||
|
|
redeem_url = "{{ nginx_proxy_oauth2_proxy_provider_url }}/login/oauth/access_token"
|
||
|
|
openid_connectissuerurl = "{{ nginx_proxy_oauth2_proxy_provider_url }}"
|
||
|
|
scopes = "{{ nginx_proxy_oauth2_proxy_scopes }}"
|
||
|
|
email_domains = {{ nginx_proxy_oauth2_proxy_email_domains | to_json }}
|
||
|
|
upstream = "{{ nginx_proxy_oauth2_proxy_upstream }}"
|
||
|
|
skip_jwt_bearer_tokens = {{ nginx_proxy_oauth2_proxy_skip_jwt | lower }}
|
||
|
|
set_basic_auth = {{ nginx_proxy_oauth2_proxy_set_basic_auth | lower }}
|
||
|
|
set_xauthrequest = {{ nginx_proxy_oauth2_proxy_set_xauthrequest | lower }}
|
||
|
|
ssl_insecure_skip_verify = {{ nginx_proxy_oauth2_proxy_ssl_insecure_skip_verify | lower }}
|
||
|
|
proxy_prefix = "{{ nginx_proxy_oauth2_proxy_proxy_prefix }}"
|
||
|
|
silent_login = {{ nginx_proxy_oauth2_proxy_silent_login | lower }}
|
||
|
|
skip_provider_whoami = {{ nginx_proxy_oauth2_proxy_skip_provider_whoami | lower }}
|
||
|
|
listen = "{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}"
|
||
|
|
{% if nginx_proxy_oauth2_proxy_request_logging | default(true) %}
|
||
|
|
logfile_filename = "{{ nginx_proxy_oauth2_proxy_log_file | default('/var/log/oauth2-proxy.log') }}"
|
||
|
|
{% endif %}
|
||
|
|
{% if nginx_proxy_oauth2_proxy_log_level | default('info') %}
|
||
|
|
log_level = "{{ nginx_proxy_oauth2_proxy_log_level | default('info') }}"
|
||
|
|
{% endif %}
|
||
|
|
cookie_secure = false
|
||
|
|
{% if nginx_proxy_oauth2_proxy_login_button | default('Sign in with Gitea') %}
|
||
|
|
custom_login_message = "Sign in with your Gitea account"
|
||
|
|
{% endif %}
|
||
|
|
```
|
||
|
|
- Create systemd service at `/etc/systemd/system/oauth2-proxy.service`:
|
||
|
|
```ini
|
||
|
|
[Unit]
|
||
|
|
Description=oauth2-proxy for {{ nginx_proxy_oauth2_proxy_cookie_domain }}
|
||
|
|
After=network.target
|
||
|
|
|
||
|
|
[Service]
|
||
|
|
Type=simple
|
||
|
|
User=nginx
|
||
|
|
ExecStart=/usr/local/bin/oauth2-proxy --config /etc/oauth2-proxy/oauth2-proxy.cfg
|
||
|
|
Restart=always
|
||
|
|
RestartSec=5
|
||
|
|
|
||
|
|
[Install]
|
||
|
|
WantedBy=multi-user.target
|
||
|
|
```
|
||
|
|
- Enable + start service
|
||
|
|
- Set config file permissions: `0640`, owner `root:nginx` (contains `client_secret`)
|
||
|
|
- Create log directory with proper permissions: `mkdir -p /var/log && chown nginx:nginx /var/log/oauth2-proxy.log`
|
||
|
|
|
||
|
|
### Notes
|
||
|
|
|
||
|
|
- **opencode without credentials** — Verify opencode starts and functions correctly when `OPENCODE_SERVER_USERNAME`/`OPENCODE_SERVER_PASSWORD` are not set. If opencode requires them to start, we may need to keep them but they will be ignored since nginx/oauth2-proxy handles auth.
|
||
|
|
|
||
|
|
### 2. Update `linux_dev_station` Role
|
||
|
|
|
||
|
|
#### `defaults/main.yml`
|
||
|
|
|
||
|
|
- Change `linux_dev_station_code_server_host` default to `127.0.0.1`
|
||
|
|
- Change `linux_dev_station_opencode_server_host` default to `127.0.0.1`
|
||
|
|
|
||
|
|
#### `templates/code-server.service.j2`
|
||
|
|
|
||
|
|
- Change `--bind-addr` to `127.0.0.1:3000`
|
||
|
|
- **Remove** `Environment="PASSWORD={{ linux_dev_station_code_server_password }}"` — SSO handles auth, no password needed
|
||
|
|
|
||
|
|
#### `templates/opencode.service.j2`
|
||
|
|
|
||
|
|
- Change `--hostname` to `127.0.0.1`
|
||
|
|
- **Remove** `Environment="OPENCODE_SERVER_USERNAME={{ linux_dev_station_opencode_server_username }}"` — SSO handles auth
|
||
|
|
- **Remove** `Environment="OPENCODE_SERVER_PASSWORD={{ linux_dev_station_opencode_server_password }}"` — SSO handles auth
|
||
|
|
|
||
|
|
### 3. Update dev-01 DNS & Remove Proxy Config
|
||
|
|
|
||
|
|
#### `terraform/apps/dev-01/config.tf`
|
||
|
|
|
||
|
|
**Add DNS records** for `ide` and `agent` pointing to dev-02 (`10.19.4.210`):
|
||
|
|
|
||
|
|
```hcl
|
||
|
|
{
|
||
|
|
name = "ide"
|
||
|
|
type = "A"
|
||
|
|
content = "10.19.4.210"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
name = "agent"
|
||
|
|
type = "A"
|
||
|
|
content = "10.19.4.210"
|
||
|
|
},
|
||
|
|
```
|
||
|
|
|
||
|
|
**Remove** the `opencode` and `code-server` entries from `proxy_services` (no longer needed, dev-02 handles its own TLS).
|
||
|
|
|
||
|
|
**Remove** the `opencode` and `vscode` CNAME records from the `zones` list:
|
||
|
|
```hcl
|
||
|
|
// Remove these:
|
||
|
|
{
|
||
|
|
name = "opencode"
|
||
|
|
type = "CNAME"
|
||
|
|
content = "dev-01.${local.lab_domain}."
|
||
|
|
},
|
||
|
|
{
|
||
|
|
name = "vscode"
|
||
|
|
type = "CNAME"
|
||
|
|
content = "dev-01.${local.lab_domain}."
|
||
|
|
},
|
||
|
|
```
|
||
|
|
|
||
|
|
### 4. Update Host Vars & Inventory
|
||
|
|
|
||
|
|
#### `ansible/host_vars/dev-02.lab.alexpires.me.yml`
|
||
|
|
|
||
|
|
Add:
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
# Certbot
|
||
|
|
nginx_proxy_certbot_enabled: true
|
||
|
|
nginx_proxy_certbot_email: "c.alexandre.pires@alexpires.me"
|
||
|
|
nginx_proxy_certbot_domains:
|
||
|
|
- "ide.lab.alexpires.me"
|
||
|
|
- "agent.lab.alexpires.me"
|
||
|
|
nginx_proxy_certbot_credential_file: "/etc/letsencrypt/cloudns.ini"
|
||
|
|
nginx_proxy_cloudns_auth_id: "{{ lookup('env', 'CLOUDNS_AUTH_ID') }}"
|
||
|
|
nginx_proxy_cloudns_auth_password: "{{ lookup('env', 'CLOUDNS_PASSWORD') }}"
|
||
|
|
nginx_proxy_cloudns_nameserver: "109.201.133.111"
|
||
|
|
|
||
|
|
# OAuth2 / Gitea
|
||
|
|
nginx_proxy_oauth2_proxy_cookie_secret: "{{ lookup('env', 'OAUTH2_PROXY_COOKIE_SECRET') }}"
|
||
|
|
nginx_proxy_oauth2_proxy_client_id: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_ID') }}"
|
||
|
|
nginx_proxy_oauth2_proxy_client_secret: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_SECRET') }}"
|
||
|
|
```
|
||
|
|
|
||
|
|
#### `inventory/hosts`
|
||
|
|
|
||
|
|
Add `dev-02.lab.alexpires.me` to `[certbot]` group:
|
||
|
|
```ini
|
||
|
|
[certbot]
|
||
|
|
dev-02.lab.alexpires.me
|
||
|
|
```
|
||
|
|
|
||
|
|
### 5. Gitea OAuth2 Application
|
||
|
|
|
||
|
|
Register one OAuth2 app in Gitea:
|
||
|
|
- **Name:** `lab-services`
|
||
|
|
- **Redirect URI:** `https://ide.lab.alexpires.me/oauth2/callback`
|
||
|
|
- **Scopes:** `openid`, `profile`, `email`
|
||
|
|
- **Result:** `client_id` + `client_secret` → stored in `sectool` / env vars
|
||
|
|
|
||
|
|
### 6. Firewall Changes (handled by existing firewall role)
|
||
|
|
|
||
|
|
| Port | Before | After |
|
||
|
|
|------|--------|-------|
|
||
|
|
| 22 | `10.19.4.0/24` + VPN | Same |
|
||
|
|
| 3000 | `10.19.4.0/24` | **CLOSED** |
|
||
|
|
| 4096 | `10.19.4.0/24` | **CLOSED** |
|
||
|
|
| 443 | — | `10.19.4.0/24` + VPN |
|
||
|
|
|
||
|
|
The `linux_dev_station` role already manages firewall rules. Update `fw_allowed_ports` in host_vars:
|
||
|
|
```yaml
|
||
|
|
fw_allowed_ports:
|
||
|
|
- { rule: "allow", port: "22", proto: "tcp", from: "10.19.4.0/24" }
|
||
|
|
- { rule: "allow", port: "22", proto: "tcp", from: "10.5.5.5/32" }
|
||
|
|
- { rule: "allow", port: "443", proto: "tcp", from: "10.19.4.0/24" }
|
||
|
|
- { rule: "allow", port: "443", proto: "tcp", from: "10.5.5.5/32" }
|
||
|
|
```
|
||
|
|
|
||
|
|
## SELinux Considerations
|
||
|
|
|
||
|
|
- Fedora ships with SELinux enforcing by default
|
||
|
|
- nginx needs permission to read certs: `semanage fcontext -a -t httpd_cert_t "/etc/letsencrypt(/.*)?"` + `restorecon -Rv /etc/letsencrypt`
|
||
|
|
- oauth2-proxy runs as `nginx` user — ensure systemd service file sets `User=nginx`
|
||
|
|
- nginx needs outbound HTTP/HTTPS to Gitea and CloudDNS API — these are allowed by default for the `httpd_t` domain
|
||
|
|
|
||
|
|
## Playbook Structure
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
# playbook_linux_dev_station.yml
|
||
|
|
- hosts: linux_dev
|
||
|
|
roles:
|
||
|
|
- linux_dev_station
|
||
|
|
|
||
|
|
# playbook_nginx_proxy.yml
|
||
|
|
- hosts: nginx
|
||
|
|
roles:
|
||
|
|
- nginx_proxy
|
||
|
|
```
|
||
|
|
|
||
|
|
The `nginx_proxy` role is a standalone, generic role — not tied to `linux_dev_station`.
|
||
|
|
|
||
|
|
## Apply Order
|
||
|
|
|
||
|
|
1. Register Gitea OAuth2 app → store creds in `sectool`
|
||
|
|
2. Run `playbook_nginx_proxy.yml` on dev-02 (Ansible)
|
||
|
|
3. Update `fw_allowed_ports` in dev-02 host_vars (close 3000/4096, add 443)
|
||
|
|
4. Update dev-01 DNS + remove proxy config (Terraform)
|
||
|
|
5. Verify: `https://ide.lab.alexpires.me` → SSO via Gitea
|
||
|
|
6. Verify: `https://agent.lab.alexpires.me` → SSO via Gitea
|
||
|
|
|
||
|
|
## Files to Create
|
||
|
|
|
||
|
|
| File | Action |
|
||
|
|
|------|--------|
|
||
|
|
| `ansible/roles/nginx_proxy/` | **NEW** role |
|
||
|
|
| `ansible/playbook_nginx_proxy.yml` | **NEW** standalone playbook (`hosts: certbot`) |
|
||
|
|
| `ansible/roles/linux_dev_station/defaults/main.yml` | Update bind to `127.0.0.1` |
|
||
|
|
| `ansible/roles/linux_dev_station/templates/code-server.service.j2` | `--bind-addr 127.0.0.1:3000` |
|
||
|
|
| `ansible/roles/linux_dev_station/templates/opencode.service.j2` | `--hostname 127.0.0.1` |
|
||
|
|
| `ansible/host_vars/dev-02.lab.alexpires.me.yml` | Add certbot + oauth2 vars |
|
||
|
|
| `inventory/hosts` | Add dev-02 to `[certbot]` |
|
||
|
|
| `terraform/apps/dev-01/config.tf` | Add DNS records for ide/agent, remove proxy config, remove CNAMEs |
|
||
|
|
| `implemented/linux_dev_station.md` | Update report |
|