From 808a775ebe3c2eb0d8a035be86dff1576cb91329 Mon Sep 17 00:00:00 2001
From: Robert Helewka <r@helu.ca>
Date: Sat, 14 Mar 2026 01:37:38 +0000
Subject: [PATCH] feat: update OAuth client IDs and secrets in configuration
 files

---
 ansible/casdoor/init_data.json.j2             | 162 ++++++++++++++++--
 ansible/inventory/host_vars/titania.incus.yml |  13 ++
 terraform/containers.tf                       |  12 +-
 3 files changed, 169 insertions(+), 18 deletions(-)

diff --git a/ansible/casdoor/init_data.json.j2 b/ansible/casdoor/init_data.json.j2
index 2682f23..3722914 100644
--- a/ansible/casdoor/init_data.json.j2
+++ b/ansible/casdoor/init_data.json.j2
@@ -66,8 +66,8 @@
       "enablePassword": true,
       "enableSignUp": true,
       "disableSignin": false,
-      "clientId": "{{ vault_angelia_oauth_client_id }}",
-      "clientSecret": "{{ vault_angelia_oauth_client_secret }}",
+      "clientId": "{{ angelia_oauth_client_id }}",
+      "clientSecret": "{{ angelia_oauth_client_secret }}",
       "providers": [],
       "signinMethods": [
         {"name": "Password", "displayName": "Password", "rule": "All"},
@@ -101,6 +101,144 @@
       "formCss": "<style>.login-panel{background-color:#ffffff;border-radius:10px;box-shadow:0 0 30px 20px rgba(255,164,21,0.12)}.ant-btn-primary{background-color:#4b96ff!important;border-color:#4b96ff!important}.ant-btn-primary:hover{background-color:#58c0ff!important;border-color:#58c0ff!important}a{color:#ffa415}a:hover{color:#ffc219}.ant-input:focus,.ant-input-focused{border-color:#4b96ff!important;box-shadow:0 0 0 2px rgba(75,150,255,0.2)!important}.ant-checkbox-checked .ant-checkbox-inner{background-color:#4b96ff!important;border-color:#4b96ff!important}</style>",
       "footerHtml": "<div style=\"text-align:center;padding:10px;color:#666;\"><a href=\"https://helu.ca\" style=\"color:#4b96ff;text-decoration:none;\">Powered by Helu.ca</a></div>"
     },
+    {
+      "owner": "admin",
+      "name": "athena",
+      "displayName": "Athena",
+      "logo": "https://helu.ca/media/images/helu-ca_logo.original.svg",
+      "homepageUrl": "https://athena.ouranos.helu.ca",
+      "organization": "heluca",
+      "cert": "cert-heluca",
+      "enablePassword": true,
+      "enableSignUp": true,
+      "disableSignin": false,
+      "clientId": "{{ athena_oauth2_client_id }}",
+      "clientSecret": "{{ athena_oauth2_client_secret }}",
+      "providers": [],
+      "signinMethods": [
+        {"name": "Password", "displayName": "Password", "rule": "All"},
+        {"name": "Verification code", "displayName": "Verification code", "rule": "All"},
+        {"name": "WebAuthn", "displayName": "WebAuthn", "rule": "None"}
+      ],
+      "signupItems": [
+        {"name": "ID", "visible": false, "required": true, "prompted": false, "rule": "Random"},
+        {"name": "Email", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Display name", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Password", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Confirm password", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Agreement", "visible": true, "required": true, "prompted": false, "rule": "None"}
+      ],
+      "grantTypes": [
+        "authorization_code",
+        "password",
+        "client_credentials",
+        "token",
+        "id_token",
+        "refresh_token"
+      ],
+      "redirectUris": [
+        "https://athena.ouranos.helu.ca/accounts/oidc/casdoor/login/callback/"
+      ],
+      "tokenFormat": "JWT",
+      "tokenFields": [],
+      "expireInHours": 168,
+      "failedSigninLimit": 5,
+      "failedSigninFrozenTime": 15,
+      "formCss": "<style>.login-panel{background-color:#ffffff;border-radius:10px;box-shadow:0 0 30px 20px rgba(255,164,21,0.12)}.ant-btn-primary{background-color:#4b96ff!important;border-color:#4b96ff!important}.ant-btn-primary:hover{background-color:#58c0ff!important;border-color:#58c0ff!important}a{color:#ffa415}a:hover{color:#ffc219}.ant-input:focus,.ant-input-focused{border-color:#4b96ff!important;box-shadow:0 0 0 2px rgba(75,150,255,0.2)!important}.ant-checkbox-checked .ant-checkbox-inner{background-color:#4b96ff!important;border-color:#4b96ff!important}</style>",
+      "footerHtml": "<div style=\"text-align:center;padding:10px;color:#666;\"><a href=\"https://helu.ca\" style=\"color:#4b96ff;text-decoration:none;\">Powered by Helu.ca</a></div>"
+    },
+    {
+      "owner": "admin",
+      "name": "kairos",
+      "displayName": "Kairos",
+      "logo": "https://helu.ca/media/images/helu-ca_logo.original.svg",
+      "homepageUrl": "https://kairos.ouranos.helu.ca",
+      "organization": "heluca",
+      "cert": "cert-heluca",
+      "enablePassword": true,
+      "enableSignUp": true,
+      "disableSignin": false,
+      "clientId": "{{ kairos_oauth2_client_id }}",
+      "clientSecret": "{{ kairos_oauth2_client_secret }}",
+      "providers": [],
+      "signinMethods": [
+        {"name": "Password", "displayName": "Password", "rule": "All"},
+        {"name": "Verification code", "displayName": "Verification code", "rule": "All"},
+        {"name": "WebAuthn", "displayName": "WebAuthn", "rule": "None"}
+      ],
+      "signupItems": [
+        {"name": "ID", "visible": false, "required": true, "prompted": false, "rule": "Random"},
+        {"name": "Email", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Display name", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Password", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Confirm password", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Agreement", "visible": true, "required": true, "prompted": false, "rule": "None"}
+      ],
+      "grantTypes": [
+        "authorization_code",
+        "password",
+        "client_credentials",
+        "token",
+        "id_token",
+        "refresh_token"
+      ],
+      "redirectUris": [
+        "https://kairos.ouranos.helu.ca/accounts/oidc/casdoor/login/callback/"
+      ],
+      "tokenFormat": "JWT",
+      "tokenFields": [],
+      "expireInHours": 168,
+      "failedSigninLimit": 5,
+      "failedSigninFrozenTime": 15,
+      "formCss": "<style>.login-panel{background-color:#ffffff;border-radius:10px;box-shadow:0 0 30px 20px rgba(255,164,21,0.12)}.ant-btn-primary{background-color:#4b96ff!important;border-color:#4b96ff!important}.ant-btn-primary:hover{background-color:#58c0ff!important;border-color:#58c0ff!important}a{color:#ffa415}a:hover{color:#ffc219}.ant-input:focus,.ant-input-focused{border-color:#4b96ff!important;box-shadow:0 0 0 2px rgba(75,150,255,0.2)!important}.ant-checkbox-checked .ant-checkbox-inner{background-color:#4b96ff!important;border-color:#4b96ff!important}</style>",
+      "footerHtml": "<div style=\"text-align:center;padding:10px;color:#666;\"><a href=\"https://helu.ca\" style=\"color:#4b96ff;text-decoration:none;\">Powered by Helu.ca</a></div>"
+    },
+    {
+      "owner": "admin",
+      "name": "spelunker",
+      "displayName": "Spelunker",
+      "logo": "https://helu.ca/media/images/helu-ca_logo.original.svg",
+      "homepageUrl": "https://spelunker.ouranos.helu.ca",
+      "organization": "heluca",
+      "cert": "cert-heluca",
+      "enablePassword": true,
+      "enableSignUp": true,
+      "disableSignin": false,
+      "clientId": "{{ spelunker_oauth2_client_id }}",
+      "clientSecret": "{{ spelunker_oauth2_client_secret }}",
+      "providers": [],
+      "signinMethods": [
+        {"name": "Password", "displayName": "Password", "rule": "All"},
+        {"name": "Verification code", "displayName": "Verification code", "rule": "All"},
+        {"name": "WebAuthn", "displayName": "WebAuthn", "rule": "None"}
+      ],
+      "signupItems": [
+        {"name": "ID", "visible": false, "required": true, "prompted": false, "rule": "Random"},
+        {"name": "Email", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Display name", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Password", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Confirm password", "visible": true, "required": true, "prompted": false, "rule": "None"},
+        {"name": "Agreement", "visible": true, "required": true, "prompted": false, "rule": "None"}
+      ],
+      "grantTypes": [
+        "authorization_code",
+        "password",
+        "client_credentials",
+        "token",
+        "id_token",
+        "refresh_token"
+      ],
+      "redirectUris": [
+        "https://spelunker.ouranos.helu.ca/accounts/oidc/casdoor/login/callback/"
+      ],
+      "tokenFormat": "JWT",
+      "tokenFields": [],
+      "expireInHours": 168,
+      "failedSigninLimit": 5,
+      "failedSigninFrozenTime": 15,
+      "formCss": "<style>.login-panel{background-color:#ffffff;border-radius:10px;box-shadow:0 0 30px 20px rgba(255,164,21,0.12)}.ant-btn-primary{background-color:#4b96ff!important;border-color:#4b96ff!important}.ant-btn-primary:hover{background-color:#58c0ff!important;border-color:#58c0ff!important}a{color:#ffa415}a:hover{color:#ffc219}.ant-input:focus,.ant-input-focused{border-color:#4b96ff!important;box-shadow:0 0 0 2px rgba(75,150,255,0.2)!important}.ant-checkbox-checked .ant-checkbox-inner{background-color:#4b96ff!important;border-color:#4b96ff!important}</style>",
+      "footerHtml": "<div style=\"text-align:center;padding:10px;color:#666;\"><a href=\"https://helu.ca\" style=\"color:#4b96ff;text-decoration:none;\">Powered by Helu.ca</a></div>"
+    },  
     {
       "owner": "admin",
       "name": "gitea",
@@ -111,8 +249,8 @@
       "cert": "cert-heluca",
       "enablePassword": true,
       "enableSignUp": false,
-      "clientId": "{{ vault_gitea_oauth_client_id }}",
-      "clientSecret": "{{ vault_gitea_oauth_client_secret }}",
+      "clientId": "{{ gitea_oauth_client_id }}",
+      "clientSecret": "{{ gitea_oauth_client_secret }}",
       "providers": [],
       "signinMethods": [
         {"name": "Password", "displayName": "Password", "rule": "All"}
@@ -146,8 +284,8 @@
       "cert": "cert-heluca",
       "enablePassword": true,
       "enableSignUp": false,
-      "clientId": "{{ vault_jupyterlab_oauth_client_id }}",
-      "clientSecret": "{{ vault_jupyterlab_oauth_client_secret }}",
+      "clientId": "{{ jupyterlab_oauth_client_id }}",
+      "clientSecret": "{{ jupyterlab_oauth_client_secret }}",
       "providers": [],
       "signinMethods": [
         {"name": "Password", "displayName": "Password", "rule": "All"}
@@ -181,8 +319,8 @@
       "cert": "cert-heluca",
       "enablePassword": true,
       "enableSignUp": false,
-      "clientId": "{{ vault_searxng_oauth_client_id }}",
-      "clientSecret": "{{ vault_searxng_oauth_client_secret }}",
+      "clientId": "{{ searxng_oauth_client_id }}",
+      "clientSecret": "{{ searxng_oauth_client_secret }}",
       "providers": [],
       "signinMethods": [
         {"name": "Password", "displayName": "Password", "rule": "All"}
@@ -216,8 +354,8 @@
       "cert": "cert-heluca",
       "enablePassword": true,
       "enableSignUp": false,
-      "clientId": "{{ vault_openwebui_oauth_client_id }}",
-      "clientSecret": "{{ vault_openwebui_oauth_client_secret }}",
+      "clientId": "{{ openwebui_oauth_client_id }}",
+      "clientSecret": "{{ openwebui_oauth_client_secret }}",
       "providers": [],
       "signinMethods": [
         {"name": "Password", "displayName": "Password", "rule": "All"}
@@ -251,8 +389,8 @@
       "cert": "cert-heluca",
       "enablePassword": true,
       "enableSignUp": false,
-      "clientId": "{{ vault_daedalus_oauth_client_id }}",
-      "clientSecret": "{{ vault_daedalus_oauth_client_secret }}",
+      "clientId": "{{ daedalus_oauth_client_id }}",
+      "clientSecret": "{{ daedalus_oauth_client_secret }}",
       "providers": [],
       "signinMethods": [
         {"name": "Password", "displayName": "Password", "rule": "All"}
diff --git a/ansible/inventory/host_vars/titania.incus.yml b/ansible/inventory/host_vars/titania.incus.yml
index 707ef52..3ab3847 100644
--- a/ansible/inventory/host_vars/titania.incus.yml
+++ b/ansible/inventory/host_vars/titania.incus.yml
@@ -220,3 +220,16 @@ casdoor_ldaps_server_port: 0
 casdoor_radius_server_port: 1812
 casdoor_radius_default_organization: "built-in"
 casdoor_radius_secret: "{{ vault_casdoor_radius_secret }}"
+# Oath2
+angelia_oauth_client_id: "{{ vault_angelia_oauth_client_id }}"
+angelia_oauth_client_secret: "{{ vault_angelia_oauth_client_secret }}"
+daedalus_oauth_client_id: "{{ vault_daedalus_oauth_client_id }}"
+daedalus_oauth_client_secret: "{{ vault_daedalus_oauth_client_secret }}"
+gitea_oauth_client_id: "{{ vault_gitea_oauth_client_id }}"
+gitea_oauth_client_secret: "{{ vault_gitea_oauth_client_secret }}"
+jupyterlab_oauth_client_id: "{{ vault_jupyterlab_oauth_client_id }}"
+jupyterlab_oauth_client_secret: "{{ vault_jupyterlab_oauth_client_secret }}"
+openwebui_oauth_client_id: "{{ vault_openwebui_oauth_client_id }}"
+openwebui_oauth_client_secret: "{{ vault_openwebui_oauth_client_secret }}"
+searxng_oauth_client_id: "{{ vault_searxng_oauth_client_id }}"
+searxng_oauth_client_secret: "{{ vault_searxng_oauth_client_secret }}"
\ No newline at end of file
diff --git a/terraform/containers.tf b/terraform/containers.tf
index 3f7009f..0f60894 100644
--- a/terraform/containers.tf
+++ b/terraform/containers.tf
@@ -31,8 +31,8 @@ EOT
         name = "app_ports"
         type = "proxy"
         properties = {
-          listen  = "tcp:0.0.0.0:25580-25599"
-          connect = "tcp:127.0.0.1:25580-25599"
+          listen  = "tcp:0.0.0.0:25590-25599"
+          connect = "tcp:127.0.0.1:25590-25599"
         }
       }]
     }
@@ -114,15 +114,15 @@ EOT
         name = "puck_ports"
         type = "proxy"
         properties = {
-          listen  = "tcp:0.0.0.0:25570-25579"
-          connect = "tcp:127.0.0.1:25570-25579"
+          listen  = "tcp:0.0.0.0:25570-25589"
+          connect = "tcp:127.0.0.1:25570-25589"
         }
       },
         {
         name = "puck_rdp"
         type = "proxy"
         properties = {
-          listen  = "tcp:0.0.0.0:25520"
+          listen  = "tcp:0.0.0.0:25589"
           connect = "tcp:127.0.0.1:3389"
         }
       },
@@ -145,7 +145,7 @@ EOT
         name = "caliban"
         type = "proxy"
         properties = {
-          listen  = "tcp:0.0.0.0:25521"
+          listen  = "tcp:0.0.0.0:25519"
           connect = "tcp:127.0.0.1:3389"
         }
       },