From 66ddef96e2d8f7667f8a9056c87abece93f91855 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 8 Nov 2023 19:46:16 +0000 Subject: [PATCH] Use OIDC to log in to tt-rss --- .../files/tt-rss/docker-compose.yml | 5 +++++ ansible/roles/pve_docker/tasks/tt-rss.yml | 16 ++++++++++++-- ansible/roles/pve_docker/vars/tt-rss.yml | 21 +++++++++++++++++++ 3 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/pve_docker/vars/tt-rss.yml diff --git a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml index 99af7ea..37f78ca 100644 --- a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml +++ b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml @@ -12,6 +12,11 @@ x-app: &app - TTRSS_CHECK_FOR_UPDATES=false - TTRSS_ENABLE_GZIP_OUTPUT=true - TTRSS_NO_STARTUP_PLUGIN_UPDATES=true + - TTRSS_PLUGINS=auth_oidc + - TTRSS_AUTH_OIDC_NAME=Authentik + - TTRSS_AUTH_OIDC_URL=https://auth.jakehoward.tech/application/o/tt-rss/ + - TTRSS_AUTH_OIDC_CLIENT_ID={{ tt_rss_oidc_client_id }} + - TTRSS_AUTH_OIDC_CLIENT_SECRET={{ tt_rss_oidc_client_secret }} - OWNER_UID={{ docker_user.id }} - OWNER_GID={{ docker_user.id }} - PHP_WORKER_MAX_CHILDREN=50 diff --git a/ansible/roles/pve_docker/tasks/tt-rss.yml b/ansible/roles/pve_docker/tasks/tt-rss.yml index 33e8149..446145c 100644 --- a/ansible/roles/pve_docker/tasks/tt-rss.yml +++ b/ansible/roles/pve_docker/tasks/tt-rss.yml @@ -1,3 +1,6 @@ +- name: Include tt-rss variables + include_vars: tt-rss.yml + - name: Create tt-rss directory file: path: /opt/tt-rss @@ -34,6 +37,15 @@ become: true become_user: "{{ docker_user.name }}" +- name: Install OIDC plugin + git: + repo: https://git.tt-rss.org/fox/ttrss-auth-oidc.git + dest: "{{ plugins_dir.path }}/auth_oidc" + depth: 1 + register: oidc_plugin + become: true + become_user: "{{ docker_user.name }}" + - name: Ensure plugins are owned by {{ docker_user.name }} file: path: "{{ plugins_dir.path }}" @@ -42,10 +54,10 @@ mode: u=rwX,g=rwX,o=rX recurse: true become: true - when: fever_plugin.changed + when: fever_plugin.changed or oidc_plugin.changed - name: restart tt-rss shell: chdir: /opt/tt-rss cmd: "{{ docker_update_command }}" - when: compose_file.changed or fever_plugin.changed + when: compose_file.changed or fever_plugin.changed or oidc_plugin.changed diff --git a/ansible/roles/pve_docker/vars/tt-rss.yml b/ansible/roles/pve_docker/vars/tt-rss.yml new file mode 100644 index 0000000..e6b7fbd --- /dev/null +++ b/ansible/roles/pve_docker/vars/tt-rss.yml @@ -0,0 +1,21 @@ +tt_rss_oidc_client_id: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37303438653837653530633362613665653232373637363562386638313532626335393466383537 + 3764386332343131346466616162623566323535313030300a303934356665373438646234386262 + 30656135393734303265346465313237323935623161313739326165616263633962343364323737 + 3237646264636165310a633864636166666561393733623332663031396336363761313965363734 + 66343439613232323836346435353530373339343233306665363630303133393231363361343336 + 3962656630383363336433666539643030376232363438643961 +tt_rss_oidc_client_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31343432386662653236623164323139653266353338336237313735356266633731396238633863 + 3230303262386236333830343866373661353836613764320a343436633638626137636364316563 + 63346238306637643038663530313964646230313439353061313539303761393533313236393036 + 6136363837636462650a326130653761626334656235633864363734656462636638623237316635 + 31373262353937333035356262333032663837613038353935313636633333623465346431383539 + 35356130333439356339616665343935393962343066376234656431613565356238633932643966 + 31313536373833653938643536653062313335653161326430356533316262633937303632646536 + 61383534343232303533356135343237336462623738386232313863353866626136653534663236 + 61343130653336613561323266636137636130393465656434306163356231333231653261623765 + 35616336656639633464373762303164623631326436386637383661366662343331633232366432 + 316138653666643865303138633437653866