docs(collection): document all roles and fix metadata drift

Replace ansible-galaxy init placeholders across the collection and correct documentation that drifted from the code, after a multi-agent review of every role README against its defaults, tasks and templates. Collection level: - README: role table for all 16 roles, requirements and role-ordering - galaxy.yml: declare community.docker and community.general deps, real description/tags/urls; normalize license to MIT-0 - meta/runtime.yml: requires_ansible '>=2.15.0' - plugins/README: document the homarr_layout filter and garage_credentials lookup instead of scaffold boilerplate Per-role meta/main.yml and README for the placeholder roles (389ds, authentik, authentik_outpost_ldap, base, collabora, drawio, garage, homarr, httpbin, keycloak, nextcloud, opencloud, traefik). Correctness fixes found during review: - keycloak: wrong domain default, drop invented keycloak_cert_resolver, document the provisioning feature - garage: root_domain is .s3.<first-entry>, not the bare domain - opnform: jwt/front_api secrets use `openssl rand -hex 32`; align the validation fail_msg in tasks/main.yml accordingly - send: S3 example references garage_s3_domains[0] (was singular) - opencloud: document required opencloud_wopi_domain License normalized to MIT-0 across galaxy.yml, role meta and READMEs to match the SPDX headers.
2026-05-27 22:33:42 +02:00 · 2026-05-27 22:33:42 +02:00 · 03bf0efe44
commit 03bf0efe44
parent 518d80ec71
38 changed files with 740 additions and 625 deletions
--- a/roles/opnform/README.md
+++ b/roles/opnform/README.md
@ -46,10 +46,14 @@ secrets to version control.**
 | Variable | Format | Generate with |
 |---|---|---|
 | `opnform_app_key` | `base64:<32 bytes base64>` | `echo "base64:$(openssl rand -base64 32)"` |
-| `opnform_jwt_secret` | 32 bytes base64 | `openssl rand -base64 32` |
-| `opnform_front_api_secret` | 32 bytes base64 | `openssl rand -base64 32` |
+| `opnform_jwt_secret` | 32-byte hex string | `openssl rand -hex 32` |
+| `opnform_front_api_secret` | 32-byte hex string | `openssl rand -hex 32` |
 | `opnform_db_password` | strong password | `openssl rand -base64 24` |

+`opnform_app_key` MUST keep the `base64:` prefix — the validation task
+asserts it. `opnform_jwt_secret` and `opnform_front_api_secret` have no
+enforced format; any sufficiently random value works.
+
 When `opnform_oidc_enabled` is `true`:

 | Variable | Source |
@ -209,3 +213,7 @@ opnform_db_password: "{{ lookup('community.hashi_vault.vault_kv2_get',
                                'digitalboard/opnform',
                                mount_point='kv').data.data.db_password }}"
 ```
+
+## License
+
+MIT-0
--- a/roles/opnform/tasks/main.yml
+++ b/roles/opnform/tasks/main.yml
@ -15,10 +15,11 @@
      - opnform_front_api_secret | length > 0
      - opnform_db_password | length > 0
    fail_msg: >-
-      OpnForm requires opnform_app_key (prefix 'base64:'), opnform_jwt_secret,
+      OpnForm requires opnform_app_key, opnform_jwt_secret,
      opnform_front_api_secret and opnform_db_password.
-      Generate with: openssl rand -base64 32
-      The app_key MUST be prefixed with "base64:"
+      Generate with:
+      opnform_app_key='base64:'$(openssl rand -base64 32) (the 'base64:' prefix is required);
+      opnform_jwt_secret and opnform_front_api_secret via openssl rand -hex 32.
      Provide via OpenBao, Ansible Vault or extra-vars.
    success_msg: Secrets validation passed