From 48efff09b866daab7429b25bf1cd829813a7cf2e Mon Sep 17 00:00:00 2001
From: Jannik Kramer <kramer@consider-it.de>
Date: Thu, 3 Jul 2025 11:32:19 +0200
Subject: [PATCH] adds oauth2-proxy to sterling-pdf

---
 docker_compose_applications/n8n/compose.yaml     |  8 ++++++--
 .../oauth2-proxy/oauth2-proxy.cfg                | 12 ++++++++++++
 .../reverse-proxy/Caddyfile                      |  4 ++--
 .../reverse-proxy/compose.yaml                   | 11 ++++++++++-
 .../stirling-pdf/compose.yaml                    | 16 +++++++++++-----
 .../hetzner/host_vars/cit-docker-host.yaml       |  2 ++
 6 files changed, 43 insertions(+), 10 deletions(-)
 create mode 100644 docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg

diff --git a/docker_compose_applications/n8n/compose.yaml b/docker_compose_applications/n8n/compose.yaml
index 8f5079f..6f706c8 100644
--- a/docker_compose_applications/n8n/compose.yaml
+++ b/docker_compose_applications/n8n/compose.yaml
@@ -7,8 +7,6 @@ services:
     image: docker.n8n.io/n8nio/n8n
     container_name: n8n
     restart: unless-stopped
-    ports:
-      - "127.0.0.1:5678:5678"
     environment:
       - GENERIC_TIMEZONE=Europe/Berlin
       - N8N_HOST=n8n.consider-funding.de
@@ -19,3 +17,9 @@ services:
     volumes:
       - /ansible_docker_compose/project_data/n8n/data:/home/node/.n8n
       - /ansible_docker_compose/project_data/n8n/files:/files
+    networks:
+      - caddy_net
+
+networks:
+  caddy_net:
+    external: true
diff --git a/docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg b/docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg
new file mode 100644
index 0000000..ee68854
--- /dev/null
+++ b/docker_compose_applications/oauth2-proxy/oauth2-proxy.cfg
@@ -0,0 +1,12 @@
+provider = "entra-id"
+oidc_issuer_url = ""
+client_id = ""
+client_secret = ""
+cookie_secret = ""
+upstreams = [ "http://stirling-pdf:8080" ]
+http_address = "0.0.0.0:4180"
+redirect_url = "https://pdf.consider-it.de/oauth2/callback"
+cookie_secure = true
+email_domains = [ "*" ]
+scope = "openid"
+skip_provider_button = true
diff --git a/docker_compose_applications/reverse-proxy/Caddyfile b/docker_compose_applications/reverse-proxy/Caddyfile
index a36c226..78cf3b0 100644
--- a/docker_compose_applications/reverse-proxy/Caddyfile
+++ b/docker_compose_applications/reverse-proxy/Caddyfile
@@ -1,9 +1,9 @@
 pdf.consider-it.de {
-    reverse_proxy 127.0.0.1:8080
+    reverse_proxy oauth2-proxy:4180
 }
 
 n8n.consider-funding.de {
-    reverse_proxy 127.0.0.1:5678 {
+    reverse_proxy n8n:5678 {
         flush_interval -1
     }
 }
diff --git a/docker_compose_applications/reverse-proxy/compose.yaml b/docker_compose_applications/reverse-proxy/compose.yaml
index 0fc3127..8bbfcbc 100644
--- a/docker_compose_applications/reverse-proxy/compose.yaml
+++ b/docker_compose_applications/reverse-proxy/compose.yaml
@@ -5,8 +5,17 @@
 services:
   caddy:
     image: caddy
+    container_name: caddy
     restart: unless-stopped
-    network_mode: host
+    ports:
+      - "80:80"
+      - "443:443"
     volumes:
       - "./Caddyfile:/etc/caddy/Caddyfile:ro"
       - "/ansible_docker_compose/project_data/reverse-proxy/caddy/data:/data"
+    networks:
+      - caddy_net
+
+networks:
+  caddy_net:
+    name: caddy_net
diff --git a/docker_compose_applications/stirling-pdf/compose.yaml b/docker_compose_applications/stirling-pdf/compose.yaml
index 5b06ed0..359aeb7 100644
--- a/docker_compose_applications/stirling-pdf/compose.yaml
+++ b/docker_compose_applications/stirling-pdf/compose.yaml
@@ -8,20 +8,26 @@
 services:
   stirling-pdf:
     image: frooodle/s-pdf:latest
+    container_name: stirling-pdf
     restart: unless-stopped
-    ports:
-      - "8080:8080"
     volumes:
-      - "./customFiles/static/:/customFiles/static/:ro"
-      - "/ansible_docker_compose/project_data/stirling-pdf/logs/:/logs/:rw"
       - "/ansible_docker_compose/project_data/stirling-pdf/tessdata:/usr/share/tessdata:rw"
+      - "/ansible_docker_compose/project_data/stirling-pdf/configs/:/configs/:rw"
+      - "/ansible_docker_compose/project_data/stirling-pdf/logs/:/logs/:rw"
+      - "./customFiles/static/:/customFiles/static/:ro"
     environment:
       DOCKER_ENABLE_SECURITY: "false"
       SECURITY_ENABLE_LOGIN: "false"
       LANGS: "en_GB,en_US,ar_AR,de_DE,fr_FR,es_ES,zh_CN,zh_TW,ca_CA,it_IT,sv_SE,pl_PL,ro_RO,ko_KR,pt_BR,ru_RU,el_GR,hi_IN,hu_HU,tr_TR,id_ID"
       SYSTEM_DEFAULT_LOCALE: de-DE
-      SYSTEM_GOOGLEVISIBILITY: "false"
       UI_APPNAME: "consider it PDF"
       UI_HOMEDESCRIPTION: "Impressum: https://consider-it.de/impressum/ Datenschutz: https://consider-it.de/datenschutzerklaerung/"
+      SYSTEM_GOOGLEVISIBILITY: "false"
       METRICS_ENABLED: "false"
       SYSTEM_ENABLEANALYTICS: "false"
+    networks:
+      - caddy_net
+
+networks:
+  caddy_net:
+    external: true
diff --git a/inventories/hetzner/host_vars/cit-docker-host.yaml b/inventories/hetzner/host_vars/cit-docker-host.yaml
index 77481a8..1a91d9c 100644
--- a/inventories/hetzner/host_vars/cit-docker-host.yaml
+++ b/inventories/hetzner/host_vars/cit-docker-host.yaml
@@ -5,3 +5,5 @@ docker_compose__projects:
     files_directory: ../docker_compose_applications/stirling-pdf
   - name: n8n
     files_directory: ../docker_compose_applications/n8n
+  - name: oauth2-proxy
+    files_directory: ../docker_compose_applications/oauth2-proxy