feat(services): multi-domain routing, split-horizon and OIDC hardening
Bundle of cross-role changes for the gymb services deployment: - Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit tls.certresolver only when traefik_cert_mode == acme (drawio, homarr, opnform, send). - Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container /etc/hosts overrides so containers reach the IdP public FQDN over the LAN. - bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"), allowing non-Entra IdPs that override bookstack_oidc_issuer. - homarr: derive the bcrypt salt from the password digest so the admin hash is idempotent — no spurious template changes / container restarts. - opnform: PATCH an existing OIDC connection instead of skipping (applies corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after bootstrap) and an optional direct-SSO ingress entrypoint. Docs: READMEs and meta/argument_specs.yml updated for all new variables.
This commit is contained in:
Simon Bärlocher
parent
1dcff92240
commit
19864d79b2
17 changed files with 309 additions and 37 deletions
|
|
@ -112,19 +112,17 @@
|
|||
# =====================================================================
|
||||
|
||||
- name: Generate bcrypt hash for admin password
|
||||
ansible.builtin.shell:
|
||||
cmd: python3 -c "import bcrypt, sys; print(bcrypt.hashpw(sys.stdin.read().encode(), bcrypt.gensalt(rounds=10)).decode())"
|
||||
stdin: "{{ homarr_admin_password }}"
|
||||
stdin_add_newline: false
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
register: bcrypt_result
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Set bcrypt hash fact
|
||||
ansible.builtin.set_fact:
|
||||
homarr_bcrypt_hash: "{{ bcrypt_result.stdout }}"
|
||||
# Deterministic salt derived from the password's SHA-256 digest so the
|
||||
# hash stays stable across runs (idempotent — no spurious template
|
||||
# changes / container restarts when the password is unchanged). The
|
||||
# bcrypt salt alphabet is [./A-Za-z0-9]; the digest's hex chars are
|
||||
# a strict subset, so we just take the first 22.
|
||||
homarr_bcrypt_hash: >-
|
||||
{{ homarr_admin_password
|
||||
| password_hash('bcrypt', rounds=10,
|
||||
salt=(homarr_admin_password
|
||||
| hash('sha256'))[:22]) }}
|
||||
no_log: true
|
||||
|
||||
# =====================================================================
|
||||
|
|
@ -161,4 +159,4 @@
|
|||
register: seed_result
|
||||
changed_when: seed_result.rc == 0
|
||||
when: admin_exists.stdout == ""
|
||||
notify: restart homarr
|
||||
notify: restart homarr
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue