docs: rewrite README with structured overview and quick start guide

Replaces the minimal project description with a comprehensive README including a component overview table, quick start instructions, common Ansible operations, and links to detailed documentation. Aligns with Red Panda Approval™ standards.
2026-03-03 12:49:06 +00:00
parent c7be03a743
commit b4d60f2f38
219 changed files with 34586 additions and 2 deletions
--- a/ansible/oauth2_proxy/oauth2-proxy.cfg.j2
+++ b/ansible/oauth2_proxy/oauth2-proxy.cfg.j2
@@ -0,0 +1,67 @@
+# OAuth2-Proxy Configuration
+# Authenticates users via Casdoor OIDC before proxying to upstream services
+# Red Panda Approved
+
+# Provider Configuration (Casdoor OIDC)
+provider = "oidc"
+provider_display_name = "Casdoor"
+oidc_issuer_url = "{{ oauth2_proxy_oidc_issuer_url }}"
+client_id = "{{ oauth2_proxy_client_id }}"
+client_secret = "{{ oauth2_proxy_client_secret }}"
+
+# Redirect URL after authentication
+redirect_url = "{{ oauth2_proxy_redirect_url }}"
+
+# Upstream service
+upstreams = [
+    "{{ oauth2_proxy_upstream_url }}"
+]
+
+# Session/Cookie Configuration
+cookie_secret = "{{ oauth2_proxy_cookie_secret }}"
+cookie_name = "{{ oauth2_proxy_cookie_name | default('_oauth2_proxy') }}"
+cookie_secure = true
+cookie_httponly = true
+cookie_expire = "{{ oauth2_proxy_cookie_expire | default('168h') }}"
+cookie_refresh = "{{ oauth2_proxy_cookie_refresh | default('1h') }}"
+cookie_domains = ".{{ oauth2_proxy_cookie_domain }}"
+session_store_type = "cookie"
+
+# Authentication settings
+email_domains = {{ oauth2_proxy_email_domains | to_json }}
+oidc_email_claim = "email"
+oidc_groups_claim = "groups"
+
+# Allow specific groups (if configured in Casdoor)
+{% if oauth2_proxy_allowed_groups is defined and oauth2_proxy_allowed_groups | length > 0 %}
+allowed_groups = {{ oauth2_proxy_allowed_groups | to_json }}
+{% endif %}
+
+# Request settings
+pass_access_token = false
+pass_authorization_header = false
+set_authorization_header = false
+set_xauthrequest = true
+
+# Logging
+request_logging = true
+auth_logging = true
+standard_logging = true
+
+# Network settings
+http_address = "0.0.0.0:4180"
+reverse_proxy = true
+real_client_ip_header = "X-Forwarded-For"
+
+# Skip authentication for health check endpoints
+skip_auth_routes = [
+    "^/healthz$",
+    "^/ping$"
+]
+
+# OIDC specific settings
+skip_provider_button = true
+oidc_extra_audiences = []
+
+# SSL verification
+ssl_insecure_skip_verify = {{ oauth2_proxy_skip_ssl_verify | default(false) | lower }}