docs(roles): add argument_specs and README for traefik, authentik, drawio, garage, nextcloud

Each of the five roles touched in this branch now ships: * meta/argument_specs.yml: typed schema for every variable in defaults/main.yml plus the optional inputs surfaced via this branch (traefik_extra_hosts, authentik_host_rewrite_domains, authentik_proxy_apps.mode / .allowed_groups, drawio_extra_domains, drawio_authentik_forward_auth*, garage_webui_authentik_forward_auth*). All five specs load cleanly through ansible-core's ArgumentSpecValidator. * README.md: replaces the ansible-galaxy boilerplate (where it was still in place) with a focused write-up — service vars, required secrets, ForwardAuth/idempotency notes, dependencies, and a working example playbook. authentik and garage READMEs are rewritten to cover the new knobs while preserving their existing content.
2026-05-26 14:16:47 +02:00 · 2026-05-26 14:16:47 +02:00 · 14c81657d7
commit 14c81657d7
parent 1f9292cc9a
10 changed files with 1348 additions and 143 deletions
--- a/roles/drawio/meta/argument_specs.yml
+++ b/roles/drawio/meta/argument_specs.yml
@ -0,0 +1,64 @@
+---
+argument_specs:
+  main:
+    short_description: Deploy draw.io diagram editor via Docker Compose behind Traefik.
+    description:
+      - Renders a Compose stack for jgraph/drawio with traefik labels, optional
+        TLS and optional authentik ForwardAuth gating.
+    options:
+      docker_compose_base_dir:
+        type: path
+        default: /etc/docker/compose
+      drawio_service_name:
+        type: str
+        default: drawio
+      drawio_docker_compose_dir:
+        type: path
+        description: Defaults to C({{ docker_compose_base_dir }}/{{ drawio_service_name }}).
+
+      drawio_domain:
+        type: str
+        default: drawio.local.test
+        description: Canonical hostname used in the traefik Host rule.
+      drawio_extra_domains:
+        type: list
+        elements: str
+        default: []
+        description:
+          - Additional hostnames the same drawio container should answer on,
+            e.g. an internal C(*.int.*) FQDN so a DMZ reverse-proxy can reach
+            drawio via a backend hostname covered by the local traefik cert.
+      drawio_image:
+        type: str
+        default: jgraph/drawio:latest
+      drawio_port:
+        type: int
+        default: 8080
+      drawio_extra_hosts:
+        type: list
+        elements: str
+        default: []
+        description: C(extra_hosts) entries injected into the container (Docker C(host:ip) syntax).
+
+      drawio_traefik_network:
+        type: str
+        default: proxy
+      drawio_use_ssl:
+        type: bool
+        default: true
+
+      drawio_authentik_forward_auth:
+        type: bool
+        default: false
+        description:
+          - When true, traefik attaches a ForwardAuth middleware pointing at
+            the authentik embedded outpost. Unauthenticated requests are
+            redirected to authentik for login and the resulting
+            C(X-Authentik-*) identity headers are forwarded downstream.
+      drawio_authentik_forward_auth_url:
+        type: str
+        default: ''
+        description:
+          - URL of the authentik ForwardAuth endpoint, typically
+            C(https://auth.example.com/outpost.goauthentik.io/auth/traefik).
+            Required when C(drawio_authentik_forward_auth=true).